Web Apps should not return 500 error when attacker appends MS-DOS devices to URLs
If an attacker is trying to fingerprint your web server, perhaps looking for https://nvd.nist.gov/vuln/detail/CVE-2007-2897
or any of the MS-DOS devices:
Rather than return a 40x error, it returns a 500, and also leaks the server header "Server:Microsoft-IIS/8.0"
This is a bad situation to be in - throwing 500 errors, and leaking the server technology. Throwing 500 errors makes our sites more susceptible to DoS attacks? If an attacker sends 1000s of requests that throw 500 errors, the site will go offline in a short period of time?
Thanks for bringing this up!
We will look into the leaked server header, but based on some testing, it is not trivial fix.
The internal server error responses are not harming your application in any way and cannot be used for DoSing the site (your site will not go down because of these). Unfortunately, fixing the response itself to 4xx type of response might be more challenging and there is currently no timeline for that and it is in our backlog.
We will update when there is work deployed to address the above.