For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AskingQuestion_'s avatar
AskingQuestion_
Icon for Nimbostratus rankNimbostratus
Nov 09, 2015

What is the reason HTTP Status 500 defined as an illegal http status in response in ASM?

We have an application generating status 500 code, which was defined as illegal http status in response by ASM. By reading some information, it seems that ASM defines 4xx - 5xx all as illegal by def...
ASM Advanced WAF
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Nov 09, 2015

HTTP 500 means one thing - your application has crashed. Leaking this to the Internet is really bad and it can be easily exploited by hackers. This is an OWASP Top 10 Vulnerability, which is especially dangerous if stack traces are shown, as the attacker can use the HTTP 500 error to pinpoint the location of the vulnerability in your application code.

 

This is a Medium risk level vulnerability, you can read more about it on OWASP Top 10 page here:

 

https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

 

Information Leakage Threat:

 

http://projects.webappsec.org/w/page/13246936/Information%20Leakage

 

Hope this helps,

 

Sam