500 Internal Server Error -> default matched status codes #510
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
joohoi
approved these changes
Jan 22, 2022
Member
joohoi
left a comment
There was a problem hiding this comment.
Thanks for the pull request, I agree with your reasoning here, and the PR looks good
joohoi
pushed a commit
that referenced
this pull request
Feb 3, 2023
* match 500 status code responses by default * include 500 into default match codes * match 500: update help message * Update CHANGELOG.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add 500 Internal Server Error to list of status codes matched by default
Why?
500 status code is frequently observed when the app doesn't behave normally which is often interesting for a security auditor
Not having 500 matched by default may let us miss some important stuff
During an assessment I first miss a 500 status with the default matcher I then found with
-mc all -fc 400.There is no option to add a matching status code (matching += 500) so either we have to do something like
-mc all -fc 400or to specify the full matching list again eg.-mc 200,204,301,302,307,401,403,405,500. That why having 500 in the default list, as 403 and 401 if it generates too much false positives it's easier to have it by default and exclude it with-fc 500then.I added it it in my
~/.ffufrcbut I think it's better to have it by default.