Missing 500 response

owasp:api2:2019-define-error-responses-500

Rule Severity:

Low

Ensure API specifications include definitions for 500 responses.
This rule applies at the API Specification level (OAS/Swagger).
API endpoints that do not return HTTP status code descriptions are more difficult to use for developers. Adding standard responses to API specifications ensures use of those APIs is predictable and safe.
500 responses indicate a server-side errors. By providing a definition, APIs can offer meaningful information about what went wrong. When API consumers encounter a 500 response, having a clear definition helps them understand the nature of the problem and whether it's something that would need addressing on the client side, or if it is an issue with the server. Including definitions for 500 responses in the API specifications promotes transparency and professionalism. It shows that the developers have considered various scenarios and are prepared to handle unexpected situations.

Example Attack Scenario

Information Disclosure: In the absence of a 500 response, the server might disclose sensitive information such as configuration details or software versions through error messages. Attackers could use this information to identify any potential vulnerabilities or exploit misconfigurations.

1. How to Identify with Example Scenario

responses:  
 '200':     
  # missing '500' response definition    
  description: OK    
  content:      
   text/plain:        
    schema:          
     type: string

1. How to Resolve with Example Scenario

responses:  
 '500':    
  description: Internal Server Error     
  # a description is required    
  content:      
   text/plain:        
    schema:          
     type: string

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings