apichallenges > solutions > status-codes-405-500-501-204
How to complete the status code challenges
We often want to use 'status codes' as a coverage indicator, e.g. if we should probably never receive a 500 range status code from the application. The API Challenges has specific endpoints to return status codes 405, 500, 501 and 204.
Status Code Challenges
These challenges were all so similar and fast to complete that we cover the solutions for them all together. They are all variants on existing requests and all use the same endpoint /heartbeat
Challenge 25 DELETE not allowed
Issue a DELETE request on the
/heartbeat
end point and receive 405 (Method Not Allowed)
DELETE
request means use the HTTP Verb DELETE i.e. instead of GET, or POST- e.g.
DELETE /heartbeat
sends to the heartbeat endpoint
- e.g.
receive 405 (Method Not Allowed)
means that the status code in the response will be 405- add the
X-CHALLENGER
header to track progress
Challenge 26 Internal Server Error
Issue a PATCH request on the
/heartbeat
end point and receive 500 (internal server error)
PATCH
request means use the HTTP Verb PATCH i.e. instead of GET, or POST- e.g.
PATCH /heartbeat
sends to the heartbeat endpoint
- e.g.
- Patch is like POST, so we should really add a body, but in this case we don't need to... perhaps that's what causes the 500 error
receive 500 (Method Not Allowed)
means that the status code in the response will be500
- add the
X-CHALLENGER
header to track progress
Challenge 27 TRACE Not Implemented
Issue a TRACE request on the
/heartbeat
end point and receive 501 (Not Implemented)
TRACE
request means use the HTTP Verb TRACE i.e. instead of GET, or POST- e.g.
TRACE /heartbeat
sends to the heartbeat endpoint
- e.g.
receive 501 (Method Not Implemented)
means that the status code in the response will be501
- add the
X-CHALLENGER
header to track progress
Challenge 28 GET 204
Issue a GET request on the
/heartbeat
end point and receive 204 when server is running
GET
request means use the HTTP Verb GET- e.g.
GET /heartbeat
sends to the heartbeat endpoint
- e.g.
receive 204
means that the status code in the response will be204
- add the
X-CHALLENGER
header to track progress
Basic Instructions
All of the requests are variants of each other, just change the verb, so once you have completed one challenge the other challenges are simple.
All the requests are on the /heartbeat
end point. Sometimes APIs have an endpoit used for monitoring to check that they are still functioning, but which really don't do anything else. They are requests that are fast and easy to call, but don't have any side-effects on the server. They are often automated with a CURL command in a script and are very similiar to the concept of 'ping' to see if a server is alive.
- Create a new request for the
/heartbeat
end point- if running locally that endpoint would be
https://apichallenges.eviltester.com/heartbeat
- if running locally that endpoint would be
- The default values for the request should be fine
- none of the requests need a payload
- The request should have an
X-CHALLENGER
header to track challenge completion
To complete challenge 25 use a DELETE verb
- Set the verb to
DELETE
and issue the request. - Check the response for status code (405)
- The request should have an
X-CHALLENGER
header to track challenge completion
Status code 405 means that the method is not allowed, you might want to use and 'OPTIONS' request and see what verbs are allowed.
Request:
> DELETE /heartbeat HTTP/1.1
> Host: apichallenges.eviltester.com
> User-Agent: rest-client
> X-CHALLENGER: x-challenger-guid
> Accept: */*
Response:
< HTTP/1.1 405 Method Not Allowed
< Connection: close
< Date: Sun, 18 Jul 2021 10:03:24 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Content-Type: text/html;charset=utf-8
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur
To complete challenge 26 use a PATCH verb
- Set the verb to
PATCH
and issue the request. - Check the response for status code (500)
- The request should have an
X-CHALLENGER
header to track challenge completion
PATCH requests are a little unusual in that there is no standard for the body of the message, but like most amendment verbs a body is usually required. Since the heartbeat can't be amended, perhaps this is why the server throws an internal server error? It is often worth sending every verb to every end point just to make sure there is no server error. Because a server error usually means that the server is trying to process the request, which might mean there is code being exercised which shouldn't so it might be possible to exploit this request in more detail and possibly a security error.
Response:
> PATCH /heartbeat HTTP/1.1
> Host: apichallenges.eviltester.com
> User-Agent: rest-client
> X-CHALLENGER: x-challenger-guid
> Accept: */*
> Content-Length: 0
Request:
< HTTP/1.1 500 Server Error
< Connection: close
< Date: Sun, 18 Jul 2021 10:04:59 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Content-Type: text/html;charset=utf-8
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur
To complete challenge 27 use a TRACE verb
- Set the verb to
TRACE
and issue the request. - Trace is not a common verb so some tools may not implement it, in Insomnia you need to use the
Custom Method
to send it. - Check the response for status code (501) NOT Implemented
- The request should have an
X-CHALLENGER
header to track challenge completion
Any verb which is not implemented, but listed as valid in the OPTIONS should return a 501 response. If it is not allowed and not listed in Options then it should return a 405 status code.
Request:
> TRACE /heartbeat HTTP/1.1
> Host: apichallenges.eviltester.com
> User-Agent: rest-client
> X-CHALLENGER: x-challenger-guid
> Accept: */*
Response:
< HTTP/1.1 501 Not Implemented
< Connection: close
< Date: Sun, 18 Jul 2021 10:07:18 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Content-Type: text/html;charset=utf-8
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur
To complete challenge 28 use a GET verb
- Set the verb to
GET
and issue the request. - Check the response for status code 204
- The request should have an
X-CHALLENGER
header to track challenge completion
204 means that the request completed successfully but there is no other information to return so the body of the response should be empty.
Request:
> GET /heartbeat HTTP/1.1
> Host: apichallenges.eviltester.com
> User-Agent: rest-client
> X-CHALLENGER: x-challenger-guid
> Accept: */*
Response:
< HTTP/1.1 204 No Content
< Content-Length: 0
< Connection: keep-alive
< Date: Sun, 18 Jul 2021 10:08:00 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: x-challenger-guid
< Content-Type: text/html;charset=utf-8
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur
Extras
- try OPTIONS on the
/heartbeat
end point to see if the functionality above matches the response from Options. Check the Allow header in the response to see which verbs are supposed to be supported.
Overview Video