Response Code Verification
In cybersecurity, response code verification is the practice of systematically checking the HTTP status codes returned by web servers and applications to identify security issues or misconfigurations. Instead of just confirming that a website is "up," this process looks at the specific three-digit code (e.g., 200, 404, 500) to understand how the server is behaving.
Every time a web browser or a security tool sends a request to a server, the server responds with an HTTP status code. These codes are part of the communication protocol and provide information about the request's outcome. By analyzing them, a security professional can:
Identify Misconfigurations: A server might return a "200 OK" code for a page that should be restricted, indicating a lack of proper access control.
Find Hidden Directories: A "403 Forbidden" code might reveal a directory that is protected but still exists, while a "404 Not Found" would confirm it doesn't.
Uncover Redirect Chains: A "301 Moved Permanently" or "302 Found" code can show a series of redirections, which could be an indicator of a phishing scam or a compromised page.
Pinpoint Errors: A "500 Internal Server Error" or similar codes can expose detailed error messages that might contain sensitive information like file paths or database credentials, which an attacker could use.
This process is a key part of the initial reconnaissance phase of an external security assessment. By scrutinizing these codes, a security professional can quickly identify anomalies and potential vulnerabilities that are not immediately obvious from a simple glance at a website.
ThreatNG helps with response code verification by using its external discovery and assessment capabilities to catalog HTTP response codes from each discovered subdomain. This process is essential for identifying misconfigurations and security weaknesses from an external perspective.
External Discovery and Assessment
ThreatNG performs purely external unauthenticated discovery to find an organization's publicly exposed assets. As part of this process, it catalogs the HTTP response codes (100-599) received from each subdomain. This allows for a deeper analysis of server behavior beyond just a basic "up or down" check.
Examples of how ThreatNG's assessments help with response code verification:
Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application to identify potential entry points for attackers. During this process, it will verify response codes to see if they indicate a misconfigured or vulnerable application. For instance, a subdomain that returns a
200 OKcode for a login page instead of a302 Foundredirect after a successful login could signal a misconfiguration that an attacker could use.Cyber Risk Exposure: This assessment considers various parameters, including subdomain headers and vulnerabilities, to determine cyber risk exposure. Response code verification is a key component, as an error code like
500 Internal Server Errormight expose a detailed stack trace or other sensitive information, which would increase the subdomain's risk score.Subdomain Takeover Susceptibility: ThreatNG analyzes DNS records, SSL certificates, and other factors to evaluate this susceptibility. A subdomain returning a
404 Not Foundcode could indicate it's pointing to a non-existent service, making it a target for a subdomain takeover, which ThreatNG would flag for a deeper security assessment.
Investigation Modules and Intelligence Repositories
ThreatNG's Investigation Modules provide detailed analysis that enriches the data from response code verification, and the Intelligence Repositories offer valuable context.
Subdomain Intelligence: This module provides a detailed breakdown of a subdomain's HTTP responses. It identifies various response types, including HTTP/HTTPS Errors and Empty HTTP/HTTPS Responses. This capability allows a security team to pinpoint where a server is behaving unexpectedly immediately. For example, a subdomain that should be serving a static website but returns a
403 Forbiddenerror might indicate an access control issue.DarCache (Intelligence Repositories): The information in these repositories adds context to the identified response codes. For example, if a subdomain returns a response code that's related to a known vulnerability (as tracked in DarCache Vulnerability), it would be prioritized.
Reporting and Continuous Monitoring
ThreatNG offers different reports, including a Prioritized report that categorizes findings as high, medium, low, or informational. This ensures that any concerning response codes are highlighted in a clear, actionable format.
Continuous monitoring ensures that as an organization's external attack surface changes, any new subdomains or changes to existing ones that result in new or different HTTP response codes are immediately flagged for review.
Complementary Solutions
ThreatNG's findings can be used with other cybersecurity solutions to enhance response code verification.
Dynamic Application Security Testing (DAST) Solutions: The discovery of an unusual or concerning HTTP response code from ThreatNG could trigger a more detailed, targeted DAST scan on that specific web application. For example, if ThreatNG identifies a subdomain returning a
500 Internal Server Error, a DAST tool could be used to repeatedly test the page with various inputs to determine if a specific vulnerability is causing the error.Security Information and Event Management (SIEM) Systems: Critical findings from ThreatNG, such as a large number of
401 Unauthorizedresponses on a public-facing API endpoint, could be sent to a SIEM. This allows security teams to correlate the external behavior with internal logs to detect a potential brute-force attack or other malicious activity.Web Application Firewalls (WAFs): ThreatNG's response code analysis can inform the configuration of a WAF. For example, if ThreatNG identifies a pattern of suspicious
302 Foundredirects, a WAF rule could be configured to block or flag similar redirection attempts, mitigating a potential phishing attack.
