how to filter metacharacters from user input iis 7.5

I am trying to prevent cross site scripting and I am told I need to filter metacharacters from user input.
I am using IIS 7.5 and It seams this should be done in the default site  >  request filtering section. I get to" request filtering  >  rules  >  Add filtering rule", I check "Scan query string" and give the rule a name but I am lost from there. I assume I add to the deny strings section and add the meta characters but do I add one to each line, all in one line or what.

Any help will be greatly appreciated.
LVL 1
jimmylew52Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
You may want to check this out to include in request filter rule, bu tin general the prevention is via
Encode output based on input parameters.
Filter input parameters for special characters.
Filter output based on input parameters for special characters.

Filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream.
> Special characters include these e.g.  < > " ' % ; ) ( & + -

Do kindly see this for more @ http://support.microsoft.com/kb/252985
And also find out more e.g. an SQL sample is shared, you can use it, or add on as required etc http://www.iis.net/configreference/system.webserver/security/requestfiltering/filteringrules

There is other sample as below which also filte rout <Script> and </script> type under query seq
http://www.cloudscan.me/2010/09/iis7-example-url-request-filtering-for.html
0
jimmylew52Author Commented:
Thank You for your response.

I have seen these. The question is do I enter each metacharacter on a line or how are they entered?
0
btanExec ConsultantCommented:
did you check out the SQLi..The main configuration for this feature is the filteringRules section under the system.webServer/security/requestFiltering section in the Applicationhost.config file or in the Web.config file. You can specify rules to reject requests based on patterns that are matched against certain parts of an HTTP request.

Please see sample code in below
http://www.iis.net/learn/manage/configuring-security/using-enhanced-request-filtering-features-in-iis
http://www.iis.net/learn/manage/configuring-security/use-request-filtering

To deny a list of URL sequences for all requests create a denyQueryStringSequences section and add the list of strings you want to disallow in the URL of your requests. The deny list is case insensitive and allows encoded values of the format %XX, where XX are hexadecimal digits. In the event of a denied condition HTTP Error 404.18 is raised.
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <denyQueryStringSequences>
          <add sequence=".." />
          <add sequence="./" />
        </denyQueryStringSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

Open in new window


So if someone were to send a request like http://www.foo.com/id=%3C%53%43%52%49%50%54%3E where the <script> sequence has been escaped, we would like to check the un-escaped version of this query string as well:
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /unescapeQueryString:"True"
<configuration>
  <system.webServer>
    <security>
      <requestFiltering unescapeQueryString="true">
        <denyQueryStringSequences>
          <add sequence="script" />
        </denyQueryStringSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration> 

Open in new window

0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

jimmylew52Author Commented:
Entering in the IIS 7 GUI seems to be worthless. I am able to add sections to the web.config file ok.

How would I know what sequences to deny?  If I add % or ? the login page does not show up, I am sure because it is

Login.aspx?ReturnUrl=%2f
0
btanExec ConsultantCommented:
When request filtering blocks an HTTP request, IIS will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied. Pls see below link for details esp the example for iis7.5
<denyUrlSequences> - This element can contain a collection of URL sequence patterns that IIS 7 will deny; for example: you can deny parts of URL sequences that an attacker might try to exploit.
<denyQueryStringSequences> - This element was added in IIS 7.5. and can contain a collection of query string sequences that request filtering will always deny. This allows administrators to block potentially dangerous query string sequences that they detect.
http://www.iis.net/configreference/system.webserver/security/requestfiltering

Denies access to two URL sequences. The first sequence prevents directory transversal and the second sequence prevents access to alternate data streams.
Denies access to unlisted file name extensions and unlisted HTTP verbs.
Sets the maximum length for a URL to 2KB and the maximum length for a query string to 1KB.
<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <denyUrlSequences>
               <add sequence=".." />
               <add sequence=":" />
            </denyUrlSequences>
            <fileExtensions allowUnlisted="false" />
            <requestLimits maxUrl="2048" maxQueryString="1024" />
            <verbs allowUnlisted="false" />
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

Open in new window

The following code samples demonstrate how to deny access to three URL sequences for the Default Web Site: directory transversals (".."), alternate data streams (":"), and backslashes ("\").
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='..']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence=':']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='\']" 

Open in new window

Or simply you may want to check out URLScan to also reject HTTP requests based on the following criteria. UrlScan 3.1 and UrlScan 3.0 are supported on IIS 5.1, IIS 6.0, and IIS 7.0 and above.
http://blogs.technet.com/b/security/archive/2013/01/22/microsoft-s-free-security-tools-urlscan-security-tool.aspx
http://www.iis.net/learn/extensions/working-with-urlscan/urlscan-faq

The HTTP request method or verb
The file name extension of the requested resource
Suspicious URL encoding
Presence of non-ASCII characters in the URL
Presence of specified character sequences in the URL
Presence of specified headers in the request

URLScan also has "DenyUrlSequences"
This option allows you to specify a list of characters to be rejected in the URL. The default options here are "..", "./", "\", ":", "%" and "&". Additional values recommended to add to this list are "#", "<", ">", "$", "@", "!", "," and "~". This option could help prevent different attacks against the site including cross site scripting attacks on the URL.

More info on URLScan
Urlscan consists of two key files: urlscan.dll and urlscan.ini which reside in the %systemroot%\inetsrv\Urlscan directory. The default urlscan.ini is archived here.

Urlscan.dll is an ISAPI filter that is self-registered when installed through IIS Lockdown/Urlscan. It can be manually registered through the Internet Services Manager interface as well. It pre-processes all requests to the IIS server looking for malicious input as defined in the Urlscan.ini configuration file. Rejected requests are logged to the Urlscan.log file located in the same directory as the other Urlscan files.

The Urlscan.ini file holds the key to successful prevention of attacks against the IIS server. The remainder of this article thus focuses on these configurations due to their paramount importance.

The Urlscan.ini file has two main parts: options and implementation. The options part of the file allows the user to enable or disable a particular option while the latter supports the actual configuration of the enabled options.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jimmylew52Author Commented:
Thanks btan, that explains enough of what I needed to know. I can now configure either the web.config file or make entries in IIS 7.5 GUI.

For anyone else confused by the IIS 7.5 GUI:     These entries are made here:    Default web site  >  IIS  >  Request Filtering  >  Query Strings tab. Click on Deny Query String, in the Query String box type the string you want to deny.

Typing  ./  in the Query String bos is the same as making this entry in the web.config file:  <add sequence="./" />

<configuration>
  <system.webServer>
    <security>
      <requestFiltering unescapeQueryString="true">
        <denyQueryStringSequences>
          <add sequence="./" />
        </denyQueryStringSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

Since my login url contains  Login.aspx?ReturnUrl=%2f    I am not able to deny  ? or = or %. I tried allowing the sequence and denying the  individual characters but that denied me access to the login page.
0
jimmylew52Author Commented:
In answer to my question. Yes, each character or string of characters has to be added on its own entry in Query Strings not rules like I thought.
0
jimmylew52Author Commented:
Thanks for your patience tban.
0
btanExec ConsultantCommented:
thanks for sharing - glad to have helped
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.