IIS 403 forbidden with% 2F in url
I have IIS (Microsoft-IIS / 7.5) returned 403 and I cannot figure out why. I've narrowed it down to %2F
, but only when it is preceded by a single letter. Any idea what could be causing this?
These workers ...
- http://example.com/mySite123/index.cfm?x=blah%2Fblah
- http://example.com/mySite123/index.cfm?x=blah%2F
- http://example.com/mySite123/index.cfm?x=123%2F
- http://example.com/mySite123/index.cfm?x=%2F
But if you put any one letter in front %2F
, it fails with 403.
These glitches ...
- http://example.com/mySite123/index.cfm?x=a%2F
- http://example.com/mySite123/index.cfm?x=b%2F
- http://example.com/mySite123/index.cfm?x=c%2F
- ...
- http://example.com/mySite123/index.cfm?x=z%2F
- http://example.com/mySite123/anything.anything?anything=x%2Fanything
Thank!
UPDATE: I ruled out ColdFusion because it gives the same 403: http://example.com/mySite123/indexdotcfm?x=a%2F
UPDATE:
Top Level IIs:
Checked:
Allow unlisted file name extensions
Allow unlisted verbs
Allow high-bit characters
Unchecked:
Allow double escaping
Request Limits:
Maximum allowed content length (Bytes): 30000000 Maximum URL length (Bytes):
4096 Maximum query string (Bytes): 2048
Sites
mySite123:
Checked:
Allow unlisted verbs
Allow high-bit characters
Unchecked:
Allow unlisted file name extensions
Allow double escaping
Request Limits:
Maximum allowed content length (Bytes): 2147483647
Maximum URL length (Bytes): 4096
Maximum query string (Bytes): 2048
Deny URL
/CFIDE/Administrator
/CFIDE/adminapi
UPDATE: If I change the directory I click on, I can change 403 to 404. Example:
This returns 404 as expected: http://www.example.com/anything.anything?anything=x%2Fanything
This returns 403: http://www.example.com/mySite123/anything.anything?anything=x%2Fanything
So, can we assume that the 403 issue is related to the configuration of the virtual directory "mySite123"?
source to share
The server admins I worked with stated:
"The problem stopped after an update for JAVA was made.
I installed the latest security update for Java 1.7 (update 25 - 64-bit) on Saturday.
After restarting the web server, the problem disappeared. "
UPDATE: I took this as an answer a few days ago, but now the problem is back.
UPDATE (Aug 31, 2015): Resolved. It had nothing to do with what the other answers were talking about. Data center firewall users had some invalid settings / rules. I cannot elaborate on this in more detail. The firewall rule setting has been fixed.
source to share
I'm pretty sure you are getting a 403 forbidden response as an IIS security feature. This is a well-known attack vector. The character sequence %2F
is simply a URL encoded character /
(forward slash) message . Obviously, this is of particular importance for browsers and the web. It is used to traverse a directory. Encoding special characters in a URL is a hacky trick to get around some basic security measures. See Path Trace from OWASP. From The Full Text of the "Hacker Handbook for Web Applications" (about halfway down this page):
Chapter 10 Attacking the Rear Components 575
LOUDSPEAKING STEPS
Always try path sequences using both forward slashes and backward slashes. Many input filters test only one of them when the file system can support both.
Try simple URL-encoded workarounds using the following encodings. Make sure to code every slash and dot inside your input:
Period -% 2e
Forward slash -% 2f
Backslash -% 5cTry using 1-bit Unicode encoding:
Period -% u002e
Backslash -% u22l5
Backslash -% u22l6Try double url encoding:
Dot-% 252e
Forward slash -% 252f
Backslash -% 255cTry using Unicode UTF-8 encoding:
Dot -% c0% 2e,% e0% 40% ae,% c0ae, etc.
Forward slash -% cO% af,% e0% 80% af,% c0% 2f and so on
Backslash -% c0% 5c,% c0% 80% 5c, etc....
( bold is my accent)
You could create a way to resolve this, but why would you? I would not recommend it. Do you want to expose your server to potential attacks? I think it would be better to avoid this sequence of urls. Is the forward slash required in the URL query string? Instead of finding a way to resolve this character in the query string, perhaps you can use another one that is less dangerous and doesn't expose your server. For that particular URL variable, you can look for that other character and replace it with whatever you want on the server side. Something like:
Instead
http://example.com/index.cfm?x=a%2Fblah
Use
http://example.com/index.cfm?x=a-blah
Then on the server, you expect a character -
(dash) in the variable x
to replace it with a character /
(forward slash) on the server. Or any other character.
In ColdFusion
<cfset x = Replace(URL.x,"-","/","ALL") />
Just be sure to use a unique character that won't exist on that string. Always remember to clear ALL user login on the server.
Here are some links I found regarding the sequence of characters %2F
vulnerable in the URL:
Component headers containing "/" (forward slash) characters
IIS URL Extension Vulnerability
Get HTTP error 400 if% 2F is part of a GET URL in JBOSS
General Google search by topic
Please note that some of the links above are related to non-IIS web servers, but indicate that a vulnerability exists.
Something else you could try is double out of sequence. Therefore, %2F
you have %252F
( %25
percent sign) instead . But you also need to make changes to IIS to support this. Link - if I name an image with% 2F I cannot access it and when I navigate to it I get a 404 . I think this will be the last resort. Dual coding
source to share
To add some specifics to this stream, %2f
(which is only a coded version /
, as stated earlier) has been running into Microsoft for some time with directory traversal vulnerabilities that allowed hackers to access files outside of web directories, Popular Intrusion Prevention Systems (like Snort ) have rules for blocking this behavior. Below is detailed information about the issue , as well as historical examples of attack strings and security advisories. This encoding %2f
has caused a world of pain for web server admins, security admins for years (and attack options are still visible as long as they are actively used).
source to share