Open in app

Sign in

Write

Sign in

Status Codes You Have to know as a Bug Hunter

Aman Bhuiyan
3 min readJun 29, 2024

--

Particularly for web application testers, HTTP status codes are important for application security. After collecting subdomains, you must verify the status codes of the subdomains during the recon phase. For this reason, it’s crucial for application security testers and bug hunters.

Status Code
HTTPs Status Code

Let’s explore each https status code and what it means.

Informational Responses (100–199):

  • 100 Continue: Indicates the client should continue the request or ignore the response if the request is already finished.
  • 101 Switching Protocols: Sent when the server switches protocols (e.g., from HTTP to Web Socket).
  • 102 Processing: Indicates the server is processing the request, but no response is available yet.

Successful Responses (200–299):

  • 200 OK: Success! The resource has been fetched (GET), headers are included (HEAD), or the result of an action is transmitted (PUT/POST).
  • 201 Created: A new resource was successfully created (usually after POST requests).
  • 202 Accepted: The request was received but not yet acted upon (often used for asynchronous processing).

Redirection Messages (300–399):

  • 301 Moved Permanently: The requested resource has moved permanently.
  • 302 Found (or 303 See Other): Temporary redirection.
  • 304 Not Modified: The client’s cached version is still valid.

Client Error Responses (400–499):

  • 400 Bad Request: Invalid request syntax.
  • 401 Unauthorized: Authentication required.
  • 403 Forbidden: Access denied.
  • 404 Not Found: Resource not found.

Server Error Responses (500–599):

  • 500 Internal Server Error: Server-side issue.
  • 502 Bad Gateway: Invalid response from an upstream server.
  • 503 Service Unavailable: Server temporarily unable to handle requests.

Note: Remember, these codes help diagnose issues and guide communication between clients and servers. If you need more details, feel free to ask!

In bug hunting, several HTTP status codes are particularly important as they can indicate potential issues or vulnerabilities. Here’s a list of key HTTP status codes you have to know as a bug hunter:

Informational Responses (1xx)

100 Continue: Often used in API testing to ensure that the server will accept the request.

101 (Switching Protocols): Used in testing web socket connections.

Success Responses (2xx)

200 OK: Indicates that the request has succeeded. Important for verifying that applications and endpoints are functioning correctly.

201 Created: Important in REST APIs to confirm that resources are being created successfully.

202 Accepted: Indicates that the request has been accepted for processing, but the processing has not been completed.

204 No Content: Used to check if an operation that doesn’t need to return any content is functioning properly.

Redirection Messages (3xx)

301 Moved Permanently: Check if resources are being permanently redirected properly.

302 Found: Important to check temporary redirections and ensure they don’t expose sensitive information.

304 Not Modified: Can be used to test caching mechanisms.

Client Error Responses (4xx)

400 Bad Request: Indicates that the server cannot process the request due to client error. Useful for input validation.

401 Unauthorized: Indicates missing or invalid authentication. Critical for security testing.

403 Forbidden: Indicates that the server understood the request but refuses to authorize it. Important for authorization testing.

404 Not Found: Indicates that the requested resource could not be found. Important to identify broken links or incorrect endpoints.

405 Method Not Allowed: Indicates that the request method is not supported by the resource. Useful for testing proper API usage.

409 Conflict: Important for detecting resource conflicts.

429 Too Many Requests: Important for rate limiting and DoS protection testing.

Server Error Responses (5xx)

500 Internal Server Error: Indicates a generic server error. Critical for identifying server-side issues and debugging.

502 Bad Gateway: Indicates that the server received an invalid response from an upstream server. Useful in testing server communications.

503 Service Unavailable: Indicates that the server is not ready to handle the request. Important for testing server load and availability.

504 Gateway Timeout: Indicates that the server is acting as a gateway and cannot get a response in time. Useful in testing timeouts and performance.

Tip: Understanding and correctly interpreting these status codes can help in identifying and troubleshooting various issues during bug hunting.

#HappyHacking😊😄😃

Bug Bounty Tips
Bug Hunting
Red Teaming
Web Application Security
Hacking

--

--

Aman Bhuiyan

Written by Aman Bhuiyan

151 Followers

I hold a beast, an angel and a madman within me.” — Dylan Thomas

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams