These codes indicate that the request was successfully received, understood, and accepted.

  • 200 OK: The request was successful.
  • 201 Created: The request was successful, and a resource was created.
  • 202 Accepted: The request has been accepted but not yet processed.
  • 204 No Content: The request was successful, but there is no content to send back.

3xx: Redirection

These codes indicate that further action is needed to complete the request.

  • 301 Moved Permanently: The resource has been permanently moved to a new URL.

  • 302 Found: The resource is temporarily located at a different URL.

    Note: If you see a 302 status code, it means the page is redirecting to another URL. This can sometimes hide important information. Check both the original and the redirected URLs for vulnerabilities. Tools like Burp Suite can capture this redirection to analyze both paths.

  • 304 Not Modified: The resource hasn’t been modified since the last request.

4xx: Client Errors

These codes indicate that there was an issue with the request.

  • 400 Bad Request: The server could not understand the request due to malformed syntax.

    Note: A 400 error might mean the server is validating input strictly. Try sending different or malformed inputs to check for vulnerabilities like SQL Injection or XSS.

  • 401 Unauthorized: Authentication is required and has failed or has not been provided.

    Note: If you get a 401 error, it means authentication is required. In CTFs, you might need to brute-force credentials using tools like Hydra or try bypassing authentication using session cookies or tokens.

  • 403 Forbidden: The server understood the request but refuses to authorize it.

    Note: 403 Forbidden means access is restricted. You can try changing HTTP methods (like from GET to POST) or modifying request headers. Sometimes, this can bypass the restriction. Also, directory brute-forcing might reveal files that are accessible.

  • 404 Not Found: The requested resource could not be found on the server.

    Note: 404 Not Found doesn’t always mean the resource doesn’t exist. Use tools like Gobuster or Dirb to brute-force hidden directories or files. This often leads to discovering important information.

5xx: Server Errors

These codes indicate that the server failed to fulfill a valid request.

  • 500 Internal Server Error: A generic error occurred on the server.

    Note: 500 Internal Server Error is often triggered when the server fails to handle an input. This is a sign that there could be vulnerabilities like SQL Injection or Remote Code Execution (RCE). Try sending unexpected inputs or payloads to find an attack vector.

  • 502 Bad Gateway: The server, acting as a gateway, received an invalid response from the upstream server.

    Note: A 502 error usually means there’s an issue with communication between servers. Check if there are different subdomains or backend services that might have vulnerabilities.

  • 503 Service Unavailable: The server is temporarily unavailable, usually due to maintenance or overload.

    Note: When you see 503, it could mean the service is down for maintenance. During this time, other endpoints or backup servers might still be online, which could have security flaws.