how to filter metacharacters from user input iis 7.5
I am trying to prevent cross site scripting and I am told I need to filter metacharacters from user input.
I am using IIS 7.5 and It seams this should be done in the default site > request filtering section. I get to" request filtering > rules > Add filtering rule", I check "Scan query string" and give the rule a name but I am lost from there. I assume I add to the deny strings section and add the meta characters but do I add one to each line, all in one line or what.
Any help will be greatly appreciated.
I am using IIS 7.5 and It seams this should be done in the default site > request filtering section. I get to" request filtering > rules > Add filtering rule", I check "Scan query string" and give the rule a name but I am lost from there. I assume I add to the deny strings section and add the meta characters but do I add one to each line, all in one line or what.
Any help will be greatly appreciated.
ASKER
Thank You for your response.
I have seen these. The question is do I enter each metacharacter on a line or how are they entered?
I have seen these. The question is do I enter each metacharacter on a line or how are they entered?
did you check out the SQLi..The main configuration for this feature is the filteringRules section under the system.webServer/security/
Please see sample code in below
http://www.iis.net/learn/manage/configuring-security/using-enhanced-request-filtering-features-in-iis
http://www.iis.net/learn/manage/configuring-security/use-request-filtering
To deny a list of URL sequences for all requests create a denyQueryStringSequences section and add the list of strings you want to disallow in the URL of your requests. The deny list is case insensitive and allows encoded values of the format %XX, where XX are hexadecimal digits. In the event of a denied condition HTTP Error 404.18 is raised.
So if someone were to send a request like http://www.foo.com/id=%3C%53%43%52%49%50%54%3E where the <script> sequence has been escaped, we would like to check the un-escaped version of this query string as well:
appcmd.exe set config "Default Web Site" -section:system.webServer/
Please see sample code in below
http://www.iis.net/learn/manage/configuring-security/using-enhanced-request-filtering-features-in-iis
http://www.iis.net/learn/manage/configuring-security/use-request-filtering
To deny a list of URL sequences for all requests create a denyQueryStringSequences section and add the list of strings you want to disallow in the URL of your requests. The deny list is case insensitive and allows encoded values of the format %XX, where XX are hexadecimal digits. In the event of a denied condition HTTP Error 404.18 is raised.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<denyQueryStringSequences>
<add sequence=".." />
<add sequence="./" />
</denyQueryStringSequences>
</requestFiltering>
</security>
</system.webServer>
</configuration>So if someone were to send a request like http://www.foo.com/id=%3C%53%43%52%49%50%54%3E where the <script> sequence has been escaped, we would like to check the un-escaped version of this query string as well:
appcmd.exe set config "Default Web Site" -section:system.webServer/
<configuration>
<system.webServer>
<security>
<requestFiltering unescapeQueryString="true">
<denyQueryStringSequences>
<add sequence="script" />
</denyQueryStringSequences>
</requestFiltering>
</security>
</system.webServer>
</configuration> ASKER
Entering in the IIS 7 GUI seems to be worthless. I am able to add sections to the web.config file ok.
How would I know what sequences to deny? If I add % or ? the login page does not show up, I am sure because it is
Login.aspx?ReturnUrl=%2f
How would I know what sequences to deny? If I add % or ? the login page does not show up, I am sure because it is
Login.aspx?ReturnUrl=%2f
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks btan, that explains enough of what I needed to know. I can now configure either the web.config file or make entries in IIS 7.5 GUI.
For anyone else confused by the IIS 7.5 GUI: These entries are made here: Default web site > IIS > Request Filtering > Query Strings tab. Click on Deny Query String, in the Query String box type the string you want to deny.
Typing ./ in the Query String bos is the same as making this entry in the web.config file: <add sequence="./" />
<configuration>
<system.webServer>
<security>
<requestFiltering unescapeQueryString="true"
<denyQueryStringSequences>
<add sequence="./" />
</denyQueryStringSequences
</requestFiltering>
</security>
</system.webServer>
</configuration>
Since my login url contains Login.aspx?ReturnUrl=%2f I am not able to deny ? or = or %. I tried allowing the sequence and denying the individual characters but that denied me access to the login page.
For anyone else confused by the IIS 7.5 GUI: These entries are made here: Default web site > IIS > Request Filtering > Query Strings tab. Click on Deny Query String, in the Query String box type the string you want to deny.
Typing ./ in the Query String bos is the same as making this entry in the web.config file: <add sequence="./" />
<configuration>
<system.webServer>
<security>
<requestFiltering unescapeQueryString="true"
<denyQueryStringSequences>
<add sequence="./" />
</denyQueryStringSequences
</requestFiltering>
</security>
</system.webServer>
</configuration>
Since my login url contains Login.aspx?ReturnUrl=%2f I am not able to deny ? or = or %. I tried allowing the sequence and denying the individual characters but that denied me access to the login page.
ASKER
In answer to my question. Yes, each character or string of characters has to be added on its own entry in Query Strings not rules like I thought.
ASKER
Thanks for your patience tban.
thanks for sharing - glad to have helped
Encode output based on input parameters.
Filter input parameters for special characters.
Filter output based on input parameters for special characters.
Filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream.
> Special characters include these e.g. < > " ' % ; ) ( & + -
Do kindly see this for more @ http://support.microsoft.com/kb/252985
And also find out more e.g. an SQL sample is shared, you can use it, or add on as required etc http://www.iis.net/configreference/system.webserver/security/requestfiltering/filteringrules
There is other sample as below which also filte rout <Script> and </script> type under query seq
http://www.cloudscan.me/2010/09/iis7-example-url-request-filtering-for.html