Internal Server Errors are scanned as part of the Security Misconfiguration Vulnerabilities Security Tests used to evaluate the Web Application Security Risk Vector.
This security test assesses whether the web application returns an HTTP 500-series error (e.g., 500, 502, 503, 504) during the scanning process. These indicate unhandled exceptions or issues occurring on the server side during normal operation.
Need to fix this?
- Ensure that visitors can access the URL or hostname
- Review any errors that are produced.
Please note that the error itself does not necessarily mean there is a vulnerability, but may expose information that could be of use to an attacker.
What is the risk? While a 500 error may not directly expose sensitive data, it reveals that the application is not properly handling certain inputs or conditions. This can:
- Signal poor resilience or lack of input validation,
- Lead to inadvertent information disclosure through verbose error messages,
- Provide clues to attackers about the underlying infrastructure.
How can I check for internal server errors in my web application? Use Chrome Developer Tools (Console or Network) tab to observe if HTTP 500-series status codes appear in the loaded page. Review server logs to identify and resolve the root causes by ensuring proper exception handling. Consider implementing custom error responses that don’t expose internal application details.
Does this impact my WAS Risk Vector Grade? Yes.
Possible Grades:
- A single WARN finding (Weight = 10) is issued for any website with at least one internal server error.
What will I see in the Portal?
Details: HTTP Internal Server Errors (500, 502, 503, 504) were found during scanning. This may represent bugs or other errors.
Feedback
0 comments
Please sign in to leave a comment.