Activity Processors: Error Processor: Incident - Illegal Response Status

Complexity: Suspicious (1.0)

Default Response: None.

Cause: WebApp Secure monitors the various status codes returned by the protected website and compares them to a configurable list of know and acceptable status codes. Some status codes are expected during normal usage of the site (such as 200 - OK, or 403 - Not Modified), but some status codes are much less common for a normal user (such as 500 - Server Error, or 404 - File Not Found). When a user issues a request that results in a status code that is marked as Suspicious or Illegal in this parameter, the corresponding incident is triggered. If the code is not in this collection, the Unknown incident is triggered.

Behavior: In the process of attempting to find vulnerabilities on a webserver, hackers will often encounter errors. Just a single error or two is likely not a problem, because even legitimate users accidentally type a URL incorrectly on occasion. However when excessive numbers of unexpected status codes are returned, the behavior of the user can be narrowed down and classified as malicious. The actual vulnerability an attacker is looking for, can be identified through the status codes they are being returned. For example, if the user is getting a lot of 404 errors, they are likely searching for unlinked files ("Predictable Resource Location"). If the user is getting a lot of 500 errors, they can be trying to establish a successful "SQL Injection" or "XSS150" vulnerability.