Clever Geek Handbook

IIS 403 forbidden with% 2F in url

I have IIS (Microsoft-IIS / 7.5) returned 403 and I cannot figure out why. I've narrowed it down to %2F

, but only when it is preceded by a single letter. Any idea what could be causing this?

These workers ...

But if you put any one letter in front %2F

, it fails with 403.

These glitches ...

Thank!

UPDATE: I ruled out ColdFusion because it gives the same 403: http://example.com/mySite123/indexdotcfm?x=a%2F

UPDATE:

Top Level IIs:
Checked:  
  Allow unlisted file name extensions
  Allow unlisted verbs
  Allow high-bit characters
Unchecked:
  Allow double escaping

Request Limits:
Maximum allowed content length (Bytes):  30000000 Maximum URL length (Bytes):
4096 Maximum query string (Bytes):  2048

Sites
mySite123:
  Checked:  
    Allow unlisted verbs
    Allow high-bit characters
  Unchecked:
    Allow unlisted file name extensions
    Allow double escaping

  Request Limits:
    Maximum allowed content length (Bytes):  2147483647
    Maximum URL length (Bytes):  4096
    Maximum query string (Bytes):  2048

  Deny URL
    /CFIDE/Administrator
    /CFIDE/adminapi

UPDATE: If I change the directory I click on, I can change 403 to 404. Example:

This returns 404 as expected: http://www.example.com/anything.anything?anything=x%2Fanything

This returns 403: http://www.example.com/mySite123/anything.anything?anything=x%2Fanything

So, can we assume that the 403 issue is related to the configuration of the virtual directory "mySite123"?

+3


source to share


3 answers


The server admins I worked with stated:

"The problem stopped after an update for JAVA was made.

I installed the latest security update for Java 1.7 (update 25 - 64-bit) on Saturday.

After restarting the web server, the problem disappeared. "



UPDATE: I took this as an answer a few days ago, but now the problem is back.

UPDATE (Aug 31, 2015): Resolved. It had nothing to do with what the other answers were talking about. Data center firewall users had some invalid settings / rules. I cannot elaborate on this in more detail. The firewall rule setting has been fixed.

0


source


I'm pretty sure you are getting a 403 forbidden response as an IIS security feature. This is a well-known attack vector. The character sequence %2F

is simply a URL encoded character /

(forward slash) message . Obviously, this is of particular importance for browsers and the web. It is used to traverse a directory. Encoding special characters in a URL is a hacky trick to get around some basic security measures. See Path Trace from OWASP. From The Full Text of the "Hacker Handbook for Web Applications" (about halfway down this page):

Chapter 10 Attacking the Rear Components 575

LOUDSPEAKING STEPS

  • Always try path sequences using both forward slashes and backward slashes. Many input filters test only one of them when the file system can support both.

  • Try simple URL-encoded workarounds using the following encodings. Make sure to code every slash and dot inside your input:

    Period -% 2e
    Forward slash -% 2f
    Backslash -% 5c

  • Try using 1-bit Unicode encoding:

    Period -% u002e
    Backslash -% u22l5
    Backslash -% u22l6

  • Try double url encoding:

    Dot-% 252e
    Forward slash -% 252f
    Backslash -% 255c

  • Try using Unicode UTF-8 encoding:

    Dot -% c0% 2e,% e0% 40% ae,% c0ae, etc.

    Forward slash -% cO% af,% e0% 80% af,% c0% 2f and so on
    Backslash -% c0% 5c,% c0% 80% 5c, etc.

    ...

( bold is my accent)

You could create a way to resolve this, but why would you? I would not recommend it. Do you want to expose your server to potential attacks? I think it would be better to avoid this sequence of urls. Is the forward slash required in the URL query string? Instead of finding a way to resolve this character in the query string, perhaps you can use another one that is less dangerous and doesn't expose your server. For that particular URL variable, you can look for that other character and replace it with whatever you want on the server side. Something like:

Instead

http://example.com/index.cfm?x=a%2Fblah

Use

http://example.com/index.cfm?x=a-blah

Then on the server, you expect a character -

(dash) in the variable x

to replace it with a character /

(forward slash) on the server. Or any other character.

In ColdFusion



<cfset x = Replace(URL.x,"-","/","ALL") />

Just be sure to use a unique character that won't exist on that string. Always remember to clear ALL user login on the server.

Here are some links I found regarding the sequence of characters %2F

vulnerable in the URL:

Component headers containing "/" (forward slash) characters

IIS URL Extension Vulnerability

Get HTTP error 400 if% 2F is part of a GET URL in JBOSS

URL encoded slash in url

General Google search by topic

Please note that some of the links above are related to non-IIS web servers, but indicate that a vulnerability exists.

Something else you could try is double out of sequence. Therefore, %2F

you have %252F

( %25

percent sign) instead . But you also need to make changes to IIS to support this. Link - if I name an image with% 2F I cannot access it and when I navigate to it I get a 404 . I think this will be the last resort. Dual coding

+9


source


To add some specifics to this stream, %2f

(which is only a coded version /

, as stated earlier) has been running into Microsoft for some time with directory traversal vulnerabilities that allowed hackers to access files outside of web directories, Popular Intrusion Prevention Systems (like Snort ) have rules for blocking this behavior. Below is detailed information about the issue , as well as historical examples of attack strings and security advisories. This encoding %2f

has caused a world of pain for web server admins, security admins for years (and attack options are still visible as long as they are actively used).

+1


source






More articles:


All Articles