apichallenges > solutions > status-codes-405-500-501-204

How to complete the status code challenges

We often want to use 'status codes' as a coverage indicator, e.g. if we should probably never receive a 500 range status code from the application. The API Challenges has specific endpoints to return status codes 405, 500, 501 and 204.

Status Code Challenges

These challenges were all so similar and fast to complete that we cover the solutions for them all together. They are all variants on existing requests and all use the same endpoint /heartbeat

Challenge 25 DELETE not allowed

Issue a DELETE request on the /heartbeat end point and receive 405 (Method Not Allowed)

  • DELETE request means use the HTTP Verb DELETE i.e. instead of GET, or POST
    • e.g. DELETE /heartbeat sends to the heartbeat endpoint
  • receive 405 (Method Not Allowed) means that the status code in the response will be 405
  • add the X-CHALLENGER header to track progress

Challenge 26 Internal Server Error

Issue a PATCH request on the /heartbeat end point and receive 500 (internal server error)

  • PATCH request means use the HTTP Verb PATCH i.e. instead of GET, or POST
    • e.g. PATCH /heartbeat sends to the heartbeat endpoint
  • Patch is like POST, so we should really add a body, but in this case we don't need to... perhaps that's what causes the 500 error
  • receive 500 (Method Not Allowed) means that the status code in the response will be 500
  • add the X-CHALLENGER header to track progress

Challenge 27 TRACE Not Implemented

Issue a TRACE request on the /heartbeat end point and receive 501 (Not Implemented)

  • TRACE request means use the HTTP Verb TRACE i.e. instead of GET, or POST
    • e.g. TRACE /heartbeat sends to the heartbeat endpoint
  • receive 501 (Method Not Implemented) means that the status code in the response will be 501
  • add the X-CHALLENGER header to track progress

Challenge 28 GET 204

Issue a GET request on the /heartbeat end point and receive 204 when server is running

  • GET request means use the HTTP Verb GET
    • e.g. GET /heartbeat sends to the heartbeat endpoint
  • receive 204 means that the status code in the response will be 204
  • add the X-CHALLENGER header to track progress

Basic Instructions

All of the requests are variants of each other, just change the verb, so once you have completed one challenge the other challenges are simple.

All the requests are on the /heartbeat end point. Sometimes APIs have an endpoit used for monitoring to check that they are still functioning, but which really don't do anything else. They are requests that are fast and easy to call, but don't have any side-effects on the server. They are often automated with a CURL command in a script and are very similiar to the concept of 'ping' to see if a server is alive.

  • Create a new request for the /heartbeat end point
    • if running locally that endpoint would be
      • https://apichallenges.eviltester.com/heartbeat
  • The default values for the request should be fine
  • none of the requests need a payload
  • The request should have an X-CHALLENGER header to track challenge completion

To complete challenge 25 use a DELETE verb

  • Set the verb to DELETE and issue the request.
  • Check the response for status code (405)
  • The request should have an X-CHALLENGER header to track challenge completion

Status code 405 means that the method is not allowed, you might want to use and 'OPTIONS' request and see what verbs are allowed.

Request:

> DELETE /heartbeat HTTP/1.1
> Host: apichallenges.eviltester.com
> User-Agent: rest-client
> X-CHALLENGER: x-challenger-guid
> Accept: */*

Response:

< HTTP/1.1 405 Method Not Allowed
< Connection: close
< Date: Sun, 18 Jul 2021 10:03:24 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Content-Type: text/html;charset=utf-8
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

To complete challenge 26 use a PATCH verb

  • Set the verb to PATCH and issue the request.
  • Check the response for status code (500)
  • The request should have an X-CHALLENGER header to track challenge completion

PATCH requests are a little unusual in that there is no standard for the body of the message, but like most amendment verbs a body is usually required. Since the heartbeat can't be amended, perhaps this is why the server throws an internal server error? It is often worth sending every verb to every end point just to make sure there is no server error. Because a server error usually means that the server is trying to process the request, which might mean there is code being exercised which shouldn't so it might be possible to exploit this request in more detail and possibly a security error.

Response:

> PATCH /heartbeat HTTP/1.1
> Host: apichallenges.eviltester.com
> User-Agent: rest-client
> X-CHALLENGER: x-challenger-guid
> Accept: */*
> Content-Length: 0

Request:

< HTTP/1.1 500 Server Error
< Connection: close
< Date: Sun, 18 Jul 2021 10:04:59 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Content-Type: text/html;charset=utf-8
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

To complete challenge 27 use a TRACE verb

  • Set the verb to TRACE and issue the request.
  • Trace is not a common verb so some tools may not implement it, in Insomnia you need to use the Custom Method to send it.
  • Check the response for status code (501) NOT Implemented
  • The request should have an X-CHALLENGER header to track challenge completion

Any verb which is not implemented, but listed as valid in the OPTIONS should return a 501 response. If it is not allowed and not listed in Options then it should return a 405 status code.

Request:

> TRACE /heartbeat HTTP/1.1
> Host: apichallenges.eviltester.com
> User-Agent: rest-client
> X-CHALLENGER: x-challenger-guid
> Accept: */*

Response:

< HTTP/1.1 501 Not Implemented
< Connection: close
< Date: Sun, 18 Jul 2021 10:07:18 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Content-Type: text/html;charset=utf-8
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

To complete challenge 28 use a GET verb

  • Set the verb to GET and issue the request.
  • Check the response for status code 204
  • The request should have an X-CHALLENGER header to track challenge completion

204 means that the request completed successfully but there is no other information to return so the body of the response should be empty.

Request:

> GET /heartbeat HTTP/1.1
> Host: apichallenges.eviltester.com
> User-Agent: rest-client
> X-CHALLENGER: x-challenger-guid
> Accept: */*

Response:

< HTTP/1.1 204 No Content
< Content-Length: 0
< Connection: keep-alive
< Date: Sun, 18 Jul 2021 10:08:00 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Content-Type: text/html;charset=utf-8
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

Extras

  • try OPTIONS on the /heartbeat end point to see if the functionality above matches the response from Options. Check the Allow header in the response to see which verbs are supposed to be supported.

Overview Video

Watch on YouTube: "Solution to the status code challenges"

Patreon ad free version