"Internal Server Error 43549" response from Gateway with malformed request "/epatype?Param"
Article ID: CTX473053
Updated On:
Description
Security scanning report vulnerability on ADC: Web Server Misconfiguration - Server Error Message when http request url includes "/epatype?".
Resolution
This response should NOT be viewed as a potential vulnerability.
The URL "/epatype" corresponds to an HTTP request made during an EPA (Endpoint Analysis) scan.
Provided that the request is accurate, you should anticipate receiving a "200 OK" response from the NetScaler.
A "500 Internal Server Error" is a common response from an ADC (Application Delivery Controller) when the requested URL is incorrect (like Pic.1 below, "FakeParam" is inserted behind).
Pic.1
In the event that this is still regarded as a security concern demanding a resolution, one potential approach is to bind a responder policy to the vServer. This policy would be designed to reset requests upon detection of the "/epatype?" string in the HTTP URL. However, it's crucial to note that taking this step is strongly discouraged due to the potential repercussions it might have on EPA scanning.
The URL "/epatype" corresponds to an HTTP request made during an EPA (Endpoint Analysis) scan.
Provided that the request is accurate, you should anticipate receiving a "200 OK" response from the NetScaler.
A "500 Internal Server Error" is a common response from an ADC (Application Delivery Controller) when the requested URL is incorrect (like Pic.1 below, "FakeParam" is inserted behind).
Pic.1
In the event that this is still regarded as a security concern demanding a resolution, one potential approach is to bind a responder policy to the vServer. This policy would be designed to reset requests upon detection of the "/epatype?" string in the HTTP URL. However, it's crucial to note that taking this step is strongly discouraged due to the potential repercussions it might have on EPA scanning.
Problem Cause
Security scanning report vulnerability on ADC: Web Server Misconfiguration - Server Error Message when http request URL includes "/epatype?". Report pointed that 500 error response from server make attacker knowing whether certain inputs trigger a server error can aid or inform an attacker of potential vulnerabilities. "/epatype" is a http request URL during EPA scan, and 500 error is a general response from ADC when request URL is incorrect which should not be considered as a potential vulnerability.
Issue/Introduction
Secuerity scanning report vulnerability on ADC: Web Server Misconfiguration - Server Error Message when http request url includes "/epatype?". Report pointed that 500 error response from server make attacker knowing whether certain inputs trigger a server error can aid or inform an attacker of potential vulnerabilities.
"/epatype" is a http request url during EPA scan, and 500 error is a general response from ADC when request url is incorrect which should not be considerated as a potential vulnerability.
Additional Information
Scanning Report Example
Request:
GET /epatype? class['classLoader'].resources.context.useHttpOnly=true&class ['classLoader'].context.sessionHandler.sessionManager.httpOnly=true&class ['classLoader'].resources.dirContext.aliases=/PRbjx^bx^bxbjbfcgbdehRP=/ HTTP/1.1
Response:
HTTP/1.1 500 Internal Server Error
Content-Length: 71
Connec...TRUNCATED..
Summary:
A server error response was detected. The server could be experiencing errors due to a misbehaving application, a misconfiguration, or a malicious value sent during the auditing process. While error responses in and of themselves are not dangerous, per se, the error responses give attackers insight into how the application handles error conditions. Errors that can be remotely triggered by an attacker can also potentially lead to a denial of service attack or other more severe vulnerability. Recommendations include designing and adding consistent error handling mechanisms which are capable of handling any user input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from being displayed.
Implication:
The server has issued a 500 error response. While the body content of the error page may not expose any information about the technical error, the fact that an error occurred is confirmed by the 500 status code. Knowing whether certain inputs trigger a server error can aid or inform an attacker of potential vulnerabilities.
Request:
GET /epatype? class['classLoader'].resources.context.useHttpOnly=true&class ['classLoader'].context.sessionHandler.sessionManager.httpOnly=true&class ['classLoader'].resources.dirContext.aliases=/PRbjx^bx^bxbjbfcgbdehRP=/ HTTP/1.1
Response:
HTTP/1.1 500 Internal Server Error
Content-Length: 71
Connec...TRUNCATED..
Summary:
A server error response was detected. The server could be experiencing errors due to a misbehaving application, a misconfiguration, or a malicious value sent during the auditing process. While error responses in and of themselves are not dangerous, per se, the error responses give attackers insight into how the application handles error conditions. Errors that can be remotely triggered by an attacker can also potentially lead to a denial of service attack or other more severe vulnerability. Recommendations include designing and adding consistent error handling mechanisms which are capable of handling any user input to your web application, providing meaningful detail to end-users, and preventing error messages that might provide information useful to an attacker from being displayed.
Implication:
The server has issued a 500 error response. While the body content of the error page may not expose any information about the technical error, the fact that an error occurred is confirmed by the 500 status code. Knowing whether certain inputs trigger a server error can aid or inform an attacker of potential vulnerabilities.
Was this article helpful?
Yes
No
Powered by
