Java – IIS 403 that prohibits the use of / in URLs

Java

I have IIS (Microsoft IIS / 7.5) returned 403 Forbidden, I can't figure out why I narrow it down to / but only if it has a letter in front of it Do you know what caused it?

These jobs

> http://example.com/mySite123/index.cfm?x=blah%2Fblah > http://example.com/mySite123/index.cfm?x=blah%2F > http://example.com/mySite123/index.cfm?x=123%2F > http://example.com/mySite123/index.cfm?x=%2F

But if you put any letter before / you fail 403

These failures

> http://example.com/mySite123/index.cfm?x=a%2F > http://example.com/mySite123/index.cfm?x=b%2F > http://example.com/mySite123/index.cfm?x=c%2F > …… > http://example.com/mySite123/index.cfm?x=z%2F > http://example.com/mySite123/anything.anything?anything=x%2Fanything

thank you!

Update: I excluded ColdFusion because it gives the same 403: http://example.com/mySite123/indexdotcfm?x=a%2F

to update:

Top Level IIs:
Checked:  
  Allow unlisted file name extensions
  Allow unlisted verbs
  Allow high-bit characters
Unchecked:
  Allow double escaping

Request Limits:
Maximum allowed content length (Bytes):  30000000 Maximum URL length (Bytes):
4096 Maximum query string (Bytes):  2048

Sites
mySite123:
  Checked:  
    Allow unlisted verbs
    Allow high-bit characters
  Unchecked:
    Allow unlisted file name extensions
    Allow double escaping

  Request Limits:
    Maximum allowed content length (Bytes):  2147483647
    Maximum URL length (Bytes):  4096
    Maximum query string (Bytes):  2048

  Deny URL
    /CFIDE/Administrator
    /CFIDE/adminapi

Update: if I change the directory I'm clicking on, I can change 403 to 404 Example:

This returns 404 as expected: http://www.example.com/anything.anything?anything=x%2Fanything

This returns 403: http://www.example.com/mySite123/anything.anything?anything=x%2Fanything

Therefore, it is safe to assume that the 403 problem is related to the "mysite123" virtual directory setting?

Solution

I'm sure you will get 403 Forbidden response as the security function of IIS This is a known attack vector The URL encoded representation of the character sequence / just / (forward slash) character Obviously, this has special significance for browsers and the Internet It is used for directory traversal Encoding special characters in URLs is a hacking technique that bypasses some basic security measures See path traversal of OWASP Start with full text of "the Web Application Hacker Handbook" (about half of the page):

(boldness is my focus)

You may come up with a way to allow this, but why did you do it? I don't recommend it Do you want to open the server for potential attacks? I think it's best to avoid this URL sequence together Do you really need forward slash characters in the URL query string? Perhaps you can use different methods that are less dangerous and do not expose your server, instead of finding a method that allows this character in the query string For this specific URL variable, you can find this different character and replace it with the character required by the server It's like:

replace

http://example.com/index.cfm?x=a%2Fblah

use

http://example.com/index.cfm?x=a-blah

Then on the server, you know the – (DASH) character in the expected x variable, so you replace it with the / (forward slash) character on the server Or what role you need

In ColdFusion

<cfset x = Replace(URL.x,"-","/","ALL") />

Be sure to use some unique characters that do not exist in the string Always remember to clean up all user supplied input on the server

Here are some references I found to vulnerable / character sequences in URLs:

Component titles containing ‘/’ (forward slash) characters

IIS URL Decoding Vulnerability

Receive an HTTP 400 error if %2F is part of the GET URL in JBOSS

URL-encoded slash in URL

Generic Google search about the topic

Please note that some of the above references are related to web servers other than IIS, but they indicate vulnerabilities

The other thing you might try is a double escape sequence So instead of / you have% 2F (% is a percent sign) However, you need to make changes in IIS to support this feature Reference – if I name an image with a% 2F, I cannot access it and when navigating to it, I get a 404 I think this will be the last resort Double Encoding

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>