Solved

how to filter metacharacters from user input iis 7.5

Posted on 2014-09-10
9
2,111 Views
Last Modified: 2014-09-12
I am trying to prevent cross site scripting and I am told I need to filter metacharacters from user input.
I am using IIS 7.5 and It seams this should be done in the default site  >  request filtering section. I get to" request filtering  >  rules  >  Add filtering rule", I check "Scan query string" and give the rule a name but I am lost from there. I assume I add to the deny strings section and add the meta characters but do I add one to each line, all in one line or what.

Any help will be greatly appreciated.
0
Comment
Question by:jimmylew52
  • 5
  • 4
9 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
You may want to check this out to include in request filter rule, bu tin general the prevention is via
Encode output based on input parameters.
Filter input parameters for special characters.
Filter output based on input parameters for special characters.

Filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream.
> Special characters include these e.g.  < > " ' % ; ) ( & + -

Do kindly see this for more @ http://support.microsoft.com/kb/252985
And also find out more e.g. an SQL sample is shared, you can use it, or add on as required etc http://www.iis.net/configreference/system.webserver/security/requestfiltering/filteringrules

There is other sample as below which also filte rout <Script> and </script> type under query seq
http://www.cloudscan.me/2010/09/iis7-example-url-request-filtering-for.html
0
 
LVL 1

Author Comment

by:jimmylew52
Comment Utility
Thank You for your response.

I have seen these. The question is do I enter each metacharacter on a line or how are they entered?
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
did you check out the SQLi..The main configuration for this feature is the filteringRules section under the system.webServer/security/requestFiltering section in the Applicationhost.config file or in the Web.config file. You can specify rules to reject requests based on patterns that are matched against certain parts of an HTTP request.

Please see sample code in below
http://www.iis.net/learn/manage/configuring-security/using-enhanced-request-filtering-features-in-iis
http://www.iis.net/learn/manage/configuring-security/use-request-filtering

To deny a list of URL sequences for all requests create a denyQueryStringSequences section and add the list of strings you want to disallow in the URL of your requests. The deny list is case insensitive and allows encoded values of the format %XX, where XX are hexadecimal digits. In the event of a denied condition HTTP Error 404.18 is raised.
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <denyQueryStringSequences>
          <add sequence=".." />
          <add sequence="./" />
        </denyQueryStringSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

Open in new window


So if someone were to send a request like http://www.foo.com/id=%3C%53%43%52%49%50%54%3E where the <script> sequence has been escaped, we would like to check the un-escaped version of this query string as well:
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /unescapeQueryString:"True"
<configuration>
  <system.webServer>
    <security>
      <requestFiltering unescapeQueryString="true">
        <denyQueryStringSequences>
          <add sequence="script" />
        </denyQueryStringSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration> 

Open in new window

0
 
LVL 1

Author Comment

by:jimmylew52
Comment Utility
Entering in the IIS 7 GUI seems to be worthless. I am able to add sections to the web.config file ok.

How would I know what sequences to deny?  If I add % or ? the login page does not show up, I am sure because it is

Login.aspx?ReturnUrl=%2f
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
When request filtering blocks an HTTP request, IIS will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied. Pls see below link for details esp the example for iis7.5
<denyUrlSequences> - This element can contain a collection of URL sequence patterns that IIS 7 will deny; for example: you can deny parts of URL sequences that an attacker might try to exploit.
<denyQueryStringSequences> - This element was added in IIS 7.5. and can contain a collection of query string sequences that request filtering will always deny. This allows administrators to block potentially dangerous query string sequences that they detect.
http://www.iis.net/configreference/system.webserver/security/requestfiltering

Denies access to two URL sequences. The first sequence prevents directory transversal and the second sequence prevents access to alternate data streams.
Denies access to unlisted file name extensions and unlisted HTTP verbs.
Sets the maximum length for a URL to 2KB and the maximum length for a query string to 1KB.
<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <denyUrlSequences>
               <add sequence=".." />
               <add sequence=":" />
            </denyUrlSequences>
            <fileExtensions allowUnlisted="false" />
            <requestLimits maxUrl="2048" maxQueryString="1024" />
            <verbs allowUnlisted="false" />
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

Open in new window

The following code samples demonstrate how to deny access to three URL sequences for the Default Web Site: directory transversals (".."), alternate data streams (":"), and backslashes ("\").
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='..']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence=':']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='\']" 

Open in new window

Or simply you may want to check out URLScan to also reject HTTP requests based on the following criteria. UrlScan 3.1 and UrlScan 3.0 are supported on IIS 5.1, IIS 6.0, and IIS 7.0 and above.
http://blogs.technet.com/b/security/archive/2013/01/22/microsoft-s-free-security-tools-urlscan-security-tool.aspx
http://www.iis.net/learn/extensions/working-with-urlscan/urlscan-faq

The HTTP request method or verb
The file name extension of the requested resource
Suspicious URL encoding
Presence of non-ASCII characters in the URL
Presence of specified character sequences in the URL
Presence of specified headers in the request

URLScan also has "DenyUrlSequences"
This option allows you to specify a list of characters to be rejected in the URL. The default options here are "..", "./", "\", ":", "%" and "&". Additional values recommended to add to this list are "#", "<", ">", "$", "@", "!", "," and "~". This option could help prevent different attacks against the site including cross site scripting attacks on the URL.

More info on URLScan
Urlscan consists of two key files: urlscan.dll and urlscan.ini which reside in the %systemroot%\inetsrv\Urlscan directory. The default urlscan.ini is archived here.

Urlscan.dll is an ISAPI filter that is self-registered when installed through IIS Lockdown/Urlscan. It can be manually registered through the Internet Services Manager interface as well. It pre-processes all requests to the IIS server looking for malicious input as defined in the Urlscan.ini configuration file. Rejected requests are logged to the Urlscan.log file located in the same directory as the other Urlscan files.

The Urlscan.ini file holds the key to successful prevention of attacks against the IIS server. The remainder of this article thus focuses on these configurations due to their paramount importance.

The Urlscan.ini file has two main parts: options and implementation. The options part of the file allows the user to enable or disable a particular option while the latter supports the actual configuration of the enabled options.
0
 
LVL 1

Author Comment

by:jimmylew52
Comment Utility
Thanks btan, that explains enough of what I needed to know. I can now configure either the web.config file or make entries in IIS 7.5 GUI.

For anyone else confused by the IIS 7.5 GUI:     These entries are made here:    Default web site  >  IIS  >  Request Filtering  >  Query Strings tab. Click on Deny Query String, in the Query String box type the string you want to deny.

Typing  ./  in the Query String bos is the same as making this entry in the web.config file:  <add sequence="./" />

<configuration>
  <system.webServer>
    <security>
      <requestFiltering unescapeQueryString="true">
        <denyQueryStringSequences>
          <add sequence="./" />
        </denyQueryStringSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

Since my login url contains  Login.aspx?ReturnUrl=%2f    I am not able to deny  ? or = or %. I tried allowing the sequence and denying the  individual characters but that denied me access to the login page.
0
 
LVL 1

Author Comment

by:jimmylew52
Comment Utility
In answer to my question. Yes, each character or string of characters has to be added on its own entry in Query Strings not rules like I thought.
0
 
LVL 1

Author Closing Comment

by:jimmylew52
Comment Utility
Thanks for your patience tban.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
thanks for sharing - glad to have helped
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

In this article you will learn how to create a free basic website on Bitbucket, a git service provider. Polymer creates dynamic HTML components, which allow more flexibility than static HTML. This tutorial uses Ubuntu Linux but can also be done on W…
Read about achieving the basic levels of HRIS security in the workplace.
This video teaches users how to migrate an existing Wordpress website to a new domain.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now