[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

IIS 5 and URLScan with ASP web pages cross-site scrpting fix.

Posted on 2009-12-21
11
Medium Priority
?
1,656 Views
Last Modified: 2012-05-08
I have just installed URLSCAN on my IIS 5 web server in an attempt to resolve the following problem:


Cross-Site Scripting (XSS)
Cross-site scripting is a term used to describe problems which arise
when maliciously crafted user data causes a web application to redirect
an unsuspecting web browser to an undesired site. It was
possible to send strings with special HTML characters ( < > " ' )
to your web application, and see them rendered in the response.
Since these characters were not encoded by the web application,
it may be possible to inject HTML scripting code into the rendered
page. The injections can occur in your HTML body, Title, Scripting,
or even commented out portions of the document. Note: Due to the
potential negative impact on this web server's resources that could
result from attacking a large number of cross-site scripting attack
vectors, TrustKeeper abandons this test after it has found at least three
instances where user input is not being properly sanitized. Therefore,
it is possible that the reported findings associated with this vulnerability
are only a subset of all possible attack vectors.
Note: All Cross-Site Scripting vulnerabilities are considered noncompliant
by PCI.
Service: (80) Microsoft-IIS/5.0
Evidence:
" Date: 2009-11-30 15:02:15.905
" HTTP Request Mode: POST
" HTTP Status Code: 200


The remediation action says to do this:

This is a generic warning based on a test that indicates that your web
application may not validate user-provided input, such as that provided
by a form. Review your web application to ensure that user data is
checked on the server side of the application (NOT in the web browser)
for proper length and character content. It is recommended that a
white-list of acceptable characters be used, with all other characters
being HTML encoded prior to being sent in response to the client.
Review the "Cross-Site Scripting", "Data Validation", and "Review
Code for Cross-site scripting" pages on OWASP.org (see the reference
links in this finding).

In a previous post, I was direcetd to install Urlscan, which I have:
http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_24975053.html#a26095954

I was also directed to this "how to" website.
http://support.microsoft.com/kb/326444/EN-US/

I just installed it and it took down myweb pages entirely. Nothing works.

Also, I don't find anything in there about cross-site scripting or XSS. I'm afraid to touch the Urlscan.ini file and reset my server, because I don't want to block anything. I see that by default, it seems to have everything blocked, including asp classic pages.

I have added the .asp to the allowed pages and resetiis. But please tell me what else I need so as not to break anything.
I also use IRC chat and java applets.

[options]

UseAllowVerbs=1                ; If 1, use [AllowVerbs] section, else use the
                               ; [DenyVerbs] section.

UseAllowExtensions=0           ; If 1, use [AllowExtensions] section, else use
                               ; the [DenyExtensions] section.

NormalizeUrlBeforeScan=1       ; If 1, canonicalize URL before processing.

VerifyNormalization=1          ; If 1, canonicalize URL twice and reject request
                               ; if a change occurs.

AllowHighBitCharacters=0       ; If 1, allow high bit (ie. UTF8 or MBCS)
                               ; characters in URL.

AllowDotInPath=0               ; If 1, allow dots that are not file extensions.

RemoveServerHeader=0           ; If 1, remove the 'Server' header from response.

EnableLogging=1                ; If 1, log UrlScan activity.

PerProcessLogging=0            ; If 1, the UrlScan.log filename will contain a PID
                               ; (ie. UrlScan.123.log).

AllowLateScanning=0            ; If 1, then UrlScan will load as a low priority
                               ; filter.

PerDayLogging=1                ; If 1, UrlScan will produce a new log each day with
                               ; activity in the form 'UrlScan.010101.log'.

UseFastPathReject=0            ; If 1, then UrlScan will not use the
                               ; RejectResponseUrl or allow IIS to log the request.

LogLongUrls=0                  ; If 1, then up to 128K per request can be logged.
                               ; If 0, then only 1k is allowed.

;
; If UseFastPathReject is 0, then UrlScan will send
; rejected requests to the URL specified by RejectResponseUrl.
; If not specified, '/<Rejected-by-UrlScan>' will be used.
;

RejectResponseUrl=

;
; LoggingDirectory can be used to specify the directory where the
; log file will be created.  This value should be the absolute path
; (ie. c:\some\path).  If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;

LoggingDirectory=C:\WINNT\system32\inetsrv\urlscan\logs

;
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
;

AlternateServerName=

[RequestLimits]

;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
;
; It is possible to impose a limit on the length of the
; value of a specific request header by prepending "Max-" to the
; name of the header.  For example, the following entry would
; impose a limit of 100 bytes to the value of the
; 'Content-Type' header:
;
;   Max-Content-Type=100
;
; To list a header and not specify a maximum value, use 0
; (ie. 'Max-User-Agent=0').  Also, any headers not listed
; in this section will not be checked for length limits.
;
; There are 3 special case limits:
;
;   - MaxAllowedContentLength specifies the maximum allowed
;     numeric value of the Content-Length request header.  For
;     example, setting this to 1000 would cause any request
;     with a content length that exceeds 1000 to be rejected.
;     The default is 30000000.
;
;   - MaxUrl specifies the maximum length of the request URL,
;     not including the query string. The default is 260 (which
;     is equivalent to MAX_PATH).
;
;   - MaxQueryString specifies the maximum length of the query
;     string.  The default is 2048.
;

MaxAllowedContentLength=30000000
MaxUrl=260
MaxQueryString=2048

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;

PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH

[DenyHeaders]

;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;

Translate:
If:
Lock-Token:
Transfer-Encoding:

[AllowExtensions]

;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;

.asp
.htm
.html
.txt
.jpg
.jpeg
.gif

[DenyExtensions]

;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Also note that ASP scripts are denied with the below
; settings.  If you wish to enable ASP, remove the
; following extensions from this list:
;    .asp
;    .cer
;    .cdx
;    .asa
;

; Deny ASP requests
.cer
.cdx
.asa

; Deny executables that could run on the server
.exe
.bat
.cmd
.com

; Deny infrequently used scripts
.htw     ; Maps to webhits.dll, part of Index Server
.ida     ; Maps to idq.dll, part of Index Server
.idq     ; Maps to idq.dll, part of Index Server
.htr     ; Maps to ism.dll, a legacy administrative tool
.idc     ; Maps to httpodbc.dll, a legacy database access tool
.shtm    ; Maps to ssinc.dll, for Server Side Includes
.shtml   ; Maps to ssinc.dll, for Server Side Includes
.stm     ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services

; Deny various static files
.ini     ; Configuration files
.log     ; Log files
.pol     ; Policy files
.dat     ; Configuration files

[DenyUrlSequences]
..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name
\   ; Don't allow backslashes in URL
:   ; Don't allow alternate stream access
%   ; Don't allow escaping after normalization
&   ; Don't allow multiple CGI processes to run on a single request
0
Comment
Question by:Starr Duskk
  • 8
  • 3
11 Comments
 
LVL 17

Accepted Solution

by:
Rovastar earned 2000 total points
ID: 26109443
The url log file in LoggingDirectory=C:\WINNT\system32\inetsrv\urlscan\logs
 will tell you what it blocked.


The allow extension section is for allowing extensions.
[AllowExtensions]

;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;

.asp
.htm
.html
.txt
.jpg
.jpeg
.gif


ANd teh
[DenyUrlSequences]
..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name
\   ; Don't allow backslashes in URL
:   ; Don't allow alternate stream access
%   ; Don't allow escaping after normalization
&   ; Don't allow multiple CGI processes to run on a single request

Will block some URLs. You might have some of these in your valid URL.

Adding  
<   ; Don't allow < used for XXS
>   ; Don't allow > used for XXS
 to this section will block the XSS attacks.

However you should block all text boxes with code validation to remove dodgy characers ratehr tahn URL scan. URLscan is an extra thing and can have some issue unless you test it properly.

Hope that helps

0
 
LVL 2

Author Comment

by:Starr Duskk
ID: 26112864
I added this under the denyurlsequences last night. Then IISRESET, then instructed for  rescan, and they still got through with their test and it failed the test:
<   ; Don't allow < used for XXS
>   ; Don't allow > used for XXS
The test consisted of this:

';#!--"<>=[]:{()}&

';!--"<>=[]:{()}

<ScRipT >alert('test');</ScRipT >
 They are sending this in the content of my contact us form. I have typed it in there myself, and yes, when I submit the form, the alert pops up.
How do I turn this section on? Is it off now?
 
0
 
LVL 2

Author Comment

by:Starr Duskk
ID: 26112917
one thing I didn't do was run the urlscan.exe again after I made the change. I'm going to try that, and reset iis and rescan and see.
So i'm assuming after a change to the ini, you must run the urlscan.exe again? I did last time. Let's see.
 
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 17

Expert Comment

by:Rovastar
ID: 26113520
Wait a sec.

Before running it try to get to run in logging only mode.

This way it will just log the rejected requests and the site will work normally. You can then see where the probelm occur.

http://support.microsoft.com/kb/326444

If you set RejectResponseUrl to the special value of /~*, URLScan uses logging-only mode. This permits IIS to serve all requests, but it adds an entry to the URLScan log for any requests that are typically blocked. This is useful if you want to test your URLScan.ini file.

-----

yeah edit the urlscan.ini and try again. :) Spend a little time though read through the urlcan documentation and about XSSing to what is possible.
0
 
LVL 2

Author Comment

by:Starr Duskk
ID: 26119137
It failed the test again, but it looks like it is not failing on the characters <>, but rather the html versions of them:
They're inputting this: %3CScRipT%20%3Ealert%28%27test
%27%29%3B%3C%2FScRipT%20%3E
And on form submittal, it generates the alert. How do I fix that?

Evidence:

" HTTP Request Mode: POST
" HTTP Status Code: 200
" Test Input String: %3CScRipT%20%3Ealert%28%27test
%27%29%3B%3C%2FScRipT%20%3E
" Search Pattern: <ScRipT >alert('test');</ScRipT > 
" Pattern Match: <ScRipT >alert('test');</ScRipT > 
Thanks!
0
 
LVL 2

Author Comment

by:Starr Duskk
ID: 26122829
can you please assist me with the above?
thanks.
 
0
 
LVL 2

Author Comment

by:Starr Duskk
ID: 26123968
is something in there blocking my IRC chat room as well?
 
0
 
LVL 17

Expert Comment

by:Rovastar
ID: 26138105
URLScan does not work for every XSS situation it can help many.

Really you need to sanitise you input boxes and stop them accepting dodgy characters.

ANyway I though the URL normalization would stop this anyway if it cdoesn't try banning the URL encoded versoisn of < and >
as in

%3C
and
%3E
0
 
LVL 2

Author Comment

by:Starr Duskk
ID: 26138723
Ok, I'll try that. I didn't know that it could take multiple characters.
thanks!
 
0
 
LVL 2

Author Comment

by:Starr Duskk
ID: 26156259
Well, I got it all figured out! I had to also manually check for request.form and request.querystring data on the server side and strip out those chars and "script" and "iframe" but I've now passed compliance!
 
Yay, couldnt have done it without you! And you saved me $30 because they charge you a fee of $30 for every month you aren't compliant. So I made it down to the wire. thanks!
0
 
LVL 2

Author Closing Comment

by:Starr Duskk
ID: 31668830
thanks!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Loops Section Overview
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question