Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

René_Posthumus's avatar
René_Posthumus
Icon for Altostratus rankAltostratus
Nov 20, 2019

Need to rewrite a 500 status to 200, but how ?

Hi,   We have some applications depending on .NET framework that send normal messages like "username does not exist" with a response code 500, while these are legit responses. It seems to have so...
application delivery
irules
LTM
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Nov 20, 2019

An HTTP 500 status is an internal error status, and would not usually contain a html payload for display.

 

What is the content type and payload of the 500 response?

 

That iRule is the best option, but the actual HTTP::payload probably isn't something that you can send back to the client (unlike a 404, where the response body is expected to be valid HTML).

 

You can craft a 200 response, but may need to wrap the HTTP::payload in some suitable HTML tags to get then to display properly.

René_Posthumus's avatar
René_Posthumus
Icon for Altostratus rankAltostratus
Nov 20, 2019

 

Hi S,

 

The payload is just text/html but i'm not that handy with iRules to be able to construct such a response. Can you ?

 

HTTP/1.1 500 Internal Server Error

Cache-Control: private

Content-Type: text/html; charset=utf-8

X-AspNet-Version: 4.0.30319

X-Frame-Options: SAMEORIGIN

Date: Thu, 21 Nov 2019 06:46:55 GMT

Content-Length: 17554

X-Content-Type-Options: nosniff

X-XSS-Protection: 1;mode=block

Strict-Transport-Security: max-age=31536000

<!DOCTYPE html>

<html>

(content)

</html>

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Nov 21, 2019

    I don't see why that wouldn't work, but disabling chunking on the request might interfere with the application ...

    # iRule to convert 500s to 200s
when HTTP_REQUEST {
  # Don't allow data to be chunked
  if { [HTTP::version] eq "1.1" } {
    if { [HTTP::header is_keepalive] } {
      HTTP::header replace "Connection" "Keep-Alive"
    }
     HTTP::version "1.0"
  }
}
when HTTP_RESPONSE {
   # grab response of a 500
   if {[HTTP::status] == 500}{
      HTTP::collect [HTTP::header Content-Length]
   }
}
 
when HTTP_RESPONSE_DATA {
   # change response to 200 and send
   HTTP::respond 200 content [HTTP::payload] "Content-Length" [HTTP::header Content-Length] "Content-Type" "text/html"
}

    Just a comment on the wisdom of replacing a status 500 with a status 200 - I know it's your your web application, but application frameworks use a specific response for a reason - if you get a 500 error response, it should only be because the server context is now broken and nothing further should be attempted. It's not like a 401 Authentication Required where the application can proceed with additional credentials.

    And leaking information like that (username does not exist) is just asking to be abused by an attacker. I'd think very carefully before making that sort of change.