IIS 5 and URLScan with ASP web pages cross-site scrpting fix.

I have just installed URLSCAN on my IIS 5 web server in an attempt to resolve the following problem:


Cross-Site Scripting (XSS)
Cross-site scripting is a term used to describe problems which arise
when maliciously crafted user data causes a web application to redirect
an unsuspecting web browser to an undesired site. It was
possible to send strings with special HTML characters ( < > " ' )
to your web application, and see them rendered in the response.
Since these characters were not encoded by the web application,
it may be possible to inject HTML scripting code into the rendered
page. The injections can occur in your HTML body, Title, Scripting,
or even commented out portions of the document. Note: Due to the
potential negative impact on this web server's resources that could
result from attacking a large number of cross-site scripting attack
vectors, TrustKeeper abandons this test after it has found at least three
instances where user input is not being properly sanitized. Therefore,
it is possible that the reported findings associated with this vulnerability
are only a subset of all possible attack vectors.
Note: All Cross-Site Scripting vulnerabilities are considered noncompliant
by PCI.
Service: (80) Microsoft-IIS/5.0
Evidence:
" Date: 2009-11-30 15:02:15.905
" HTTP Request Mode: POST
" HTTP Status Code: 200


The remediation action says to do this:

This is a generic warning based on a test that indicates that your web
application may not validate user-provided input, such as that provided
by a form. Review your web application to ensure that user data is
checked on the server side of the application (NOT in the web browser)
for proper length and character content. It is recommended that a
white-list of acceptable characters be used, with all other characters
being HTML encoded prior to being sent in response to the client.
Review the "Cross-Site Scripting", "Data Validation", and "Review
Code for Cross-site scripting" pages on OWASP.org (see the reference
links in this finding).

In a previous post, I was direcetd to install Urlscan, which I have:
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_24975053.html#a26095954

I was also directed to this "how to" website.
http://support.microsoft.com/kb/326444/EN-US/

I just installed it and it took down myweb pages entirely. Nothing works.

Also, I don't find anything in there about cross-site scripting or XSS. I'm afraid to touch the Urlscan.ini file and reset my server, because I don't want to block anything. I see that by default, it seems to have everything blocked, including asp classic pages.

I have added the .asp to the allowed pages and resetiis. But please tell me what else I need so as not to break anything.
I also use IRC chat and java applets.

[options]

UseAllowVerbs=1                ; If 1, use [AllowVerbs] section, else use the
                               ; [DenyVerbs] section.

UseAllowExtensions=0           ; If 1, use [AllowExtensions] section, else use
                               ; the [DenyExtensions] section.

NormalizeUrlBeforeScan=1       ; If 1, canonicalize URL before processing.

VerifyNormalization=1          ; If 1, canonicalize URL twice and reject request
                               ; if a change occurs.

AllowHighBitCharacters=0       ; If 1, allow high bit (ie. UTF8 or MBCS)
                               ; characters in URL.

AllowDotInPath=0               ; If 1, allow dots that are not file extensions.

RemoveServerHeader=0           ; If 1, remove the 'Server' header from response.

EnableLogging=1                ; If 1, log UrlScan activity.

PerProcessLogging=0            ; If 1, the UrlScan.log filename will contain a PID
                               ; (ie. UrlScan.123.log).

AllowLateScanning=0            ; If 1, then UrlScan will load as a low priority
                               ; filter.

PerDayLogging=1                ; If 1, UrlScan will produce a new log each day with
                               ; activity in the form 'UrlScan.010101.log'.

UseFastPathReject=0            ; If 1, then UrlScan will not use the
                               ; RejectResponseUrl or allow IIS to log the request.

LogLongUrls=0                  ; If 1, then up to 128K per request can be logged.
                               ; If 0, then only 1k is allowed.

;
; If UseFastPathReject is 0, then UrlScan will send
; rejected requests to the URL specified by RejectResponseUrl.
; If not specified, '/<Rejected-by-UrlScan>' will be used.
;

RejectResponseUrl=

;
; LoggingDirectory can be used to specify the directory where the
; log file will be created.  This value should be the absolute path
; (ie. c:\some\path).  If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;

LoggingDirectory=C:\WINNT\system32\inetsrv\urlscan\logs

;
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
;

AlternateServerName=

[RequestLimits]

;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
;
; It is possible to impose a limit on the length of the
; value of a specific request header by prepending "Max-" to the
; name of the header.  For example, the following entry would
; impose a limit of 100 bytes to the value of the
; 'Content-Type' header:
;
;   Max-Content-Type=100
;
; To list a header and not specify a maximum value, use 0
; (ie. 'Max-User-Agent=0').  Also, any headers not listed
; in this section will not be checked for length limits.
;
; There are 3 special case limits:
;
;   - MaxAllowedContentLength specifies the maximum allowed
;     numeric value of the Content-Length request header.  For
;     example, setting this to 1000 would cause any request
;     with a content length that exceeds 1000 to be rejected.
;     The default is 30000000.
;
;   - MaxUrl specifies the maximum length of the request URL,
;     not including the query string. The default is 260 (which
;     is equivalent to MAX_PATH).
;
;   - MaxQueryString specifies the maximum length of the query
;     string.  The default is 2048.
;

MaxAllowedContentLength=30000000
MaxUrl=260
MaxQueryString=2048

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;

PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH

[DenyHeaders]

;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;

Translate:
If:
Lock-Token:
Transfer-Encoding:

[AllowExtensions]

;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;

.asp
.htm
.html
.txt
.jpg
.jpeg
.gif

[DenyExtensions]

;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Also note that ASP scripts are denied with the below
; settings.  If you wish to enable ASP, remove the
; following extensions from this list:
;    .asp
;    .cer
;    .cdx
;    .asa
;

; Deny ASP requests
.cer
.cdx
.asa

; Deny executables that could run on the server
.exe
.bat
.cmd
.com

; Deny infrequently used scripts
.htw     ; Maps to webhits.dll, part of Index Server
.ida     ; Maps to idq.dll, part of Index Server
.idq     ; Maps to idq.dll, part of Index Server
.htr     ; Maps to ism.dll, a legacy administrative tool
.idc     ; Maps to httpodbc.dll, a legacy database access tool
.shtm    ; Maps to ssinc.dll, for Server Side Includes
.shtml   ; Maps to ssinc.dll, for Server Side Includes
.stm     ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services

; Deny various static files
.ini     ; Configuration files
.log     ; Log files
.pol     ; Policy files
.dat     ; Configuration files

[DenyUrlSequences]
..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name
\   ; Don't allow backslashes in URL
:   ; Don't allow alternate stream access
%   ; Don't allow escaping after normalization
&   ; Don't allow multiple CGI processes to run on a single request
LVL 2
Starr DuskkASP.NET VB.NET DeveloperAsked:
Who is Participating?
 
RovastarConnect With a Mentor Commented:
The url log file in LoggingDirectory=C:\WINNT\system32\inetsrv\urlscan\logs
 will tell you what it blocked.


The allow extension section is for allowing extensions.
[AllowExtensions]

;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;

.asp
.htm
.html
.txt
.jpg
.jpeg
.gif


ANd teh
[DenyUrlSequences]
..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name
\   ; Don't allow backslashes in URL
:   ; Don't allow alternate stream access
%   ; Don't allow escaping after normalization
&   ; Don't allow multiple CGI processes to run on a single request

Will block some URLs. You might have some of these in your valid URL.

Adding  
<   ; Don't allow < used for XXS
>   ; Don't allow > used for XXS
 to this section will block the XSS attacks.

However you should block all text boxes with code validation to remove dodgy characers ratehr tahn URL scan. URLscan is an extra thing and can have some issue unless you test it properly.

Hope that helps

0
 
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
I added this under the denyurlsequences last night. Then IISRESET, then instructed for  rescan, and they still got through with their test and it failed the test:
<   ; Don't allow < used for XXS
>   ; Don't allow > used for XXS
The test consisted of this:

';#!--"<>=[]:{()}&

';!--"<>=[]:{()}

<ScRipT >alert('test');</ScRipT >
 They are sending this in the content of my contact us form. I have typed it in there myself, and yes, when I submit the form, the alert pops up.
How do I turn this section on? Is it off now?
 
0
 
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
one thing I didn't do was run the urlscan.exe again after I made the change. I'm going to try that, and reset iis and rescan and see.
So i'm assuming after a change to the ini, you must run the urlscan.exe again? I did last time. Let's see.
 
0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 
RovastarCommented:
Wait a sec.

Before running it try to get to run in logging only mode.

This way it will just log the rejected requests and the site will work normally. You can then see where the probelm occur.

http://support.microsoft.com/kb/326444

If you set RejectResponseUrl to the special value of /~*, URLScan uses logging-only mode. This permits IIS to serve all requests, but it adds an entry to the URLScan log for any requests that are typically blocked. This is useful if you want to test your URLScan.ini file.

-----

yeah edit the urlscan.ini and try again. :) Spend a little time though read through the urlcan documentation and about XSSing to what is possible.
0
 
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
It failed the test again, but it looks like it is not failing on the characters <>, but rather the html versions of them:
They're inputting this: %3CScRipT%20%3Ealert%28%27test
%27%29%3B%3C%2FScRipT%20%3E
And on form submittal, it generates the alert. How do I fix that?

Evidence:

" HTTP Request Mode: POST
" HTTP Status Code: 200
" Test Input String: %3CScRipT%20%3Ealert%28%27test
%27%29%3B%3C%2FScRipT%20%3E
" Search Pattern: <ScRipT >alert('test');</ScRipT > 
" Pattern Match: <ScRipT >alert('test');</ScRipT > 
Thanks!
0
 
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
can you please assist me with the above?
thanks.
 
0
 
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
is something in there blocking my IRC chat room as well?
 
0
 
RovastarCommented:
URLScan does not work for every XSS situation it can help many.

Really you need to sanitise you input boxes and stop them accepting dodgy characters.

ANyway I though the URL normalization would stop this anyway if it cdoesn't try banning the URL encoded versoisn of < and >
as in

%3C
and
%3E
0
 
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
Ok, I'll try that. I didn't know that it could take multiple characters.
thanks!
 
0
 
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
Well, I got it all figured out! I had to also manually check for request.form and request.querystring data on the server side and strip out those chars and "script" and "iframe" but I've now passed compliance!
 
Yay, couldnt have done it without you! And you saved me $30 because they charge you a fee of $30 for every month you aren't compliant. So I made it down to the wire. thanks!
0
 
Starr DuskkASP.NET VB.NET DeveloperAuthor Commented:
thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.