Web Apps should not return 500 error when attacker appends MS-DOS devices to URLs
If an attacker is trying to fingerprint your web server, perhaps looking for https://nvd.nist.gov/vuln/detail/CVE-2007-2897
or any of the MS-DOS devices:
Rather than return a 40x error, it returns a 500, and also leaks the server header "Server:Microsoft-IIS/8.0"
This is a bad situation to be in - throwing 500 errors, and leaking the server technology. Throwing 500 errors makes our sites more susceptible to DoS attacks? If an attacker sends 1000s of requests that throw 500 errors, the site will go offline in a short period of time?
Deleting with lack of feedback and no work planned for this area.