Activity Processors: Error Processor: Incident - Suspicious Response Status

Complexity: Suspicious (1.0)

Default Response: 10x 404 = Resource Enumeration Incident.

Cause: WebApp Secure monitors the various status codes returned by the protected website and compares them to a configurable list of know and acceptable status codes. Some status codes are expected during normal usage of the site (such as 200 - OK, or 403 - Not Modified), but some status codes are much less common for a normal user (such as 500 - Server Error, or 404 - File Not Found). When a user issues a request that results in a status code that is marked as Suspicious or Illegal in this parameter, the corresponding incident is triggered. If the code is not in this collection, the Unknown incident is triggered.

Behavior: In the process of attempting to find vulnerabilities on a webserver, hackers will often encounter errors. Just a single error or two is likely not a problem, because even legitimate users accidentally type a URL incorrectly on occasion. However when excessive numbers of unexpected status codes are returned, the behavior of the user can be narrowed down and classified as malicious. The actual vulnerability the attacker is looking for can be identified through the status codes they are being returned. For example, if the user is getting a lot of 404 errors, they are likely searching for unlinked files ("Predictable Resource Location"). If the user is getting a lot of 500 errors, they can be trying to establish a successful "SQL Injection" or "XSS" vulnerability. In the case of this incident, the user is getting an unexpected status code. This is likely because of a bug in the web application which the user has found and is attempting to exploit. The URL this incident is created for, should be reviewed to determine why it would be responding with a non standard status code. If the status code is intentionally non-standard, but is acceptable behavior, then the custom status code should be added to the list of known and accepted status codes in config.