double escape sequence inside a url : The request filtering module is configured to deny a request that contains a double escape sequence
On my ASP.NET MVC application, I am trying to implement a URL like below :
/product/tags/for+families
When I try to run my appl
-
Security Risk
The setting
allowDoubleEscapingonly applies to thepath(cs-uri-stem) and is best explained by OWASP Double Encoding. The technique is used to get around security controls by URL Encoding the request twice. Using your URL as an example:/product/tags/for+families --> /product/tags/for%2Bfamilies --> /product/tags/for%252BfamiliesSuppose there are security controls specifically for
/product/tags/for+families. A request arrives for/product/tags/for%252Bfamilieswhich is the same resource though is unchecked by the aforementioned security controls. I used the generalized term of security controls because they could be anything such as requiring an authenticated user, checking for SQLi, etc.Why Does IIS Block?
The plus sign (+) is a reserved character per RFC2396:
Many URI include components consisting of or delimited by, certain special characters. These characters are called "reserved", since their usage within the URI component is limited to their reserved purpose. If the data for a URI component would conflict with the reserved purpose, then the conflicting data must be escaped before forming the URI.
reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | ","Wade Hilmo has an excellent post titled How IIS blocks characters in URLs. There's lots of information and background provided. The part specifically for the plus sign is as follows:
So allowDoubleEscaping/VerifyNormalization seems pretty straightforward. Why did I say that it causes confusion? The issue is when a ‘+’ character appears in a URL. The ‘+’ character doesn’t appear to be escaped, since it does not involve a ‘%’. Also, RFC 2396 notes it as a reserved character that can be included in a URL when it’s in escaped form (%2b). But with allowDoubleEscaping set to its default value of false, we will block it even in escaped form. The reason for this is historical: Way back in the early days of HTTP, a ‘+’ character was considered shorthand for a space character. Some canonicalizers, when given a URL that contains a ‘+’ will convert it to a space. For this reason, we consider a ‘+’ to be non-canonical in a URL. I was not able to find any reference to a RFC that calls out this ‘+’ treatment, but there are many references on the web that talk about it as a historical behavior.
From my own experience I know that when IIS logs a request spaces are substituted with a plus sign. Having a plus sign in the name may cause confusion when parsing logs.
Solution
There are three ways to fix this and two ways to still use the plus sign.
allowDoubleEscaping=true- This will allow double escaping for your entire website/application. Depending on the content, this could be undesirable to say the least. The following command will setallowDoubleEscaping=true.appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /allowDoubleEscaping:TruealwaysAllowedUrls- Request Filtering offers a whitelist approach. By adding that URL path to alwaysAllowedUrls, the request will not be checked by any other Request Filtering settings and continue on in the IIS request pipeline. The concern here is that Request Filtering will not check the request for:- Request Limits: maxContentLength, maxUrl, maxQueryString
- Verbs
- Query - query string parameters will not be checked
- Double Escaping
- High Bit Characters
- Request Filtering Rules
- Request Header Limits
The following command will add
/product/tags/for+familiestoalwaysAllowedUrlson the Default Web Site.appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"alwaysAllowedUrls.[url='/product/tags/for+families']"Rename - yes, just rename the file/folder/controller/etc. if possible. This is the easiest solution.
加载中...
- 热议问题