CWE-393: Return of Wrong Status Code
Learn about CWE-393 (Return of Wrong Status Code), its security impact, exploitation methods, and prevention guidelines.
What is Return of Wrong Status Code?
• Overview: A Return of Wrong Status Code (CWE-393) occurs when a function or operation returns an incorrect status code or return value, leading the software to behave incorrectly based on that misleading result. This issue can lead to unreliable application behavior, especially if the status code is used for security decisions.
• Exploitation Methods:
- Attackers can exploit this vulnerability by manipulating inputs or conditions to trigger incorrect status codes, potentially bypassing security checks.
- Common attack patterns include feeding unexpected inputs to APIs or functions to see if they return incorrect success codes despite failing internally.
• Security Impact:
- Direct consequences of successful exploitation include incorrect application behavior, bypassing of security mechanisms, and potential exposure of sensitive data.
- Potential cascading effects involve further system compromise if security checks are bypassed, leading to unauthorized access or data manipulation.
- Business impact can be significant, including data breaches, loss of customer trust, regulatory fines, and damage to the company's reputation.
• Prevention Guidelines:
- Specific code-level fixes include validating the return values of functions rigorously and ensuring they accurately reflect execution results.
- Security best practices involve thorough testing, including edge cases and failure scenarios, to ensure status codes correctly represent operation outcomes.
- Recommended tools and frameworks include static analysis tools to detect potential return value issues and automated testing frameworks to validate correct behavior across different scenarios.
Corgea can automatically detect and fix Return of Wrong Status Code in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
const express = require('express');
const app = express();
app.get('/product/:id', (req, res) => {
const productId = req.params.id;
// Simulate a product database lookup
if (productId === '101') {
res.status(200).json({ product: "Laptop" });
} else {
// Vulnerable: Returning 200 status even when the product is not found
// This can mislead clients into thinking the request was successful
res.status(200).json({ error: "Product not found" });
}
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
How to fix Return of Wrong Status Code?
In this example, the server incorrectly returns a 200 OK status when a product is not found, which can mislead clients into assuming that the request was successful. Instead, the server should return a 404 Not Found status to accurately convey that the requested resource does not exist. This ensures that clients receive clear and correct information about the outcome of their request and can handle it appropriately.
Fixed Code Example
const express = require('express');
const app = express();
app.get('/product/:id', (req, res) => {
const productId = req.params.id;
// Simulate a product database lookup
if (productId === '101') {
res.status(200).json({ product: "Laptop" });
} else {
// Fixed: Return 404 status code when product is not found
// This accurately informs the client that the resource does not exist
res.status(404).json({ error: "Product not found" });
}
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
In both examples, the fix involves ensuring that the server returns a 404 Not Found status when a requested resource is not available. This provides correct and useful feedback to the client, improving the reliability and clarity of the API.