Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

how to filter metacharacters from user input iis 7.5

Posted on 2014-09-10
9
Medium Priority
?
2,630 Views
Last Modified: 2014-09-12
I am trying to prevent cross site scripting and I am told I need to filter metacharacters from user input.
I am using IIS 7.5 and It seams this should be done in the default site  >  request filtering section. I get to" request filtering  >  rules  >  Add filtering rule", I check "Scan query string" and give the rule a name but I am lost from there. I assume I add to the deny strings section and add the meta characters but do I add one to each line, all in one line or what.

Any help will be greatly appreciated.
0
Comment
Question by:jimmylew52
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40316262
You may want to check this out to include in request filter rule, bu tin general the prevention is via
Encode output based on input parameters.
Filter input parameters for special characters.
Filter output based on input parameters for special characters.

Filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream.
> Special characters include these e.g.  < > " ' % ; ) ( & + -

Do kindly see this for more @ http://support.microsoft.com/kb/252985
And also find out more e.g. an SQL sample is shared, you can use it, or add on as required etc http://www.iis.net/configreference/system.webserver/security/requestfiltering/filteringrules

There is other sample as below which also filte rout <Script> and </script> type under query seq
http://www.cloudscan.me/2010/09/iis7-example-url-request-filtering-for.html
0
 
LVL 1

Author Comment

by:jimmylew52
ID: 40316903
Thank You for your response.

I have seen these. The question is do I enter each metacharacter on a line or how are they entered?
0
 
LVL 64

Expert Comment

by:btan
ID: 40316923
did you check out the SQLi..The main configuration for this feature is the filteringRules section under the system.webServer/security/requestFiltering section in the Applicationhost.config file or in the Web.config file. You can specify rules to reject requests based on patterns that are matched against certain parts of an HTTP request.

Please see sample code in below
http://www.iis.net/learn/manage/configuring-security/using-enhanced-request-filtering-features-in-iis
http://www.iis.net/learn/manage/configuring-security/use-request-filtering

To deny a list of URL sequences for all requests create a denyQueryStringSequences section and add the list of strings you want to disallow in the URL of your requests. The deny list is case insensitive and allows encoded values of the format %XX, where XX are hexadecimal digits. In the event of a denied condition HTTP Error 404.18 is raised.
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <denyQueryStringSequences>
          <add sequence=".." />
          <add sequence="./" />
        </denyQueryStringSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

Open in new window


So if someone were to send a request like http://www.foo.com/id=%3C%53%43%52%49%50%54%3E where the <script> sequence has been escaped, we would like to check the un-escaped version of this query string as well:
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /unescapeQueryString:"True"
<configuration>
  <system.webServer>
    <security>
      <requestFiltering unescapeQueryString="true">
        <denyQueryStringSequences>
          <add sequence="script" />
        </denyQueryStringSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration> 

Open in new window

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jimmylew52
ID: 40317589
Entering in the IIS 7 GUI seems to be worthless. I am able to add sections to the web.config file ok.

How would I know what sequences to deny?  If I add % or ? the login page does not show up, I am sure because it is

Login.aspx?ReturnUrl=%2f
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40318383
When request filtering blocks an HTTP request, IIS will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied. Pls see below link for details esp the example for iis7.5
<denyUrlSequences> - This element can contain a collection of URL sequence patterns that IIS 7 will deny; for example: you can deny parts of URL sequences that an attacker might try to exploit.
<denyQueryStringSequences> - This element was added in IIS 7.5. and can contain a collection of query string sequences that request filtering will always deny. This allows administrators to block potentially dangerous query string sequences that they detect.
http://www.iis.net/configreference/system.webserver/security/requestfiltering

Denies access to two URL sequences. The first sequence prevents directory transversal and the second sequence prevents access to alternate data streams.
Denies access to unlisted file name extensions and unlisted HTTP verbs.
Sets the maximum length for a URL to 2KB and the maximum length for a query string to 1KB.
<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <denyUrlSequences>
               <add sequence=".." />
               <add sequence=":" />
            </denyUrlSequences>
            <fileExtensions allowUnlisted="false" />
            <requestLimits maxUrl="2048" maxQueryString="1024" />
            <verbs allowUnlisted="false" />
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>

Open in new window

The following code samples demonstrate how to deny access to three URL sequences for the Default Web Site: directory transversals (".."), alternate data streams (":"), and backslashes ("\").
appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='..']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence=':']" 

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyUrlSequences.[sequence='\']" 

Open in new window

Or simply you may want to check out URLScan to also reject HTTP requests based on the following criteria. UrlScan 3.1 and UrlScan 3.0 are supported on IIS 5.1, IIS 6.0, and IIS 7.0 and above.
http://blogs.technet.com/b/security/archive/2013/01/22/microsoft-s-free-security-tools-urlscan-security-tool.aspx
http://www.iis.net/learn/extensions/working-with-urlscan/urlscan-faq

The HTTP request method or verb
The file name extension of the requested resource
Suspicious URL encoding
Presence of non-ASCII characters in the URL
Presence of specified character sequences in the URL
Presence of specified headers in the request

URLScan also has "DenyUrlSequences"
This option allows you to specify a list of characters to be rejected in the URL. The default options here are "..", "./", "\", ":", "%" and "&". Additional values recommended to add to this list are "#", "<", ">", "$", "@", "!", "," and "~". This option could help prevent different attacks against the site including cross site scripting attacks on the URL.

More info on URLScan
Urlscan consists of two key files: urlscan.dll and urlscan.ini which reside in the %systemroot%\inetsrv\Urlscan directory. The default urlscan.ini is archived here.

Urlscan.dll is an ISAPI filter that is self-registered when installed through IIS Lockdown/Urlscan. It can be manually registered through the Internet Services Manager interface as well. It pre-processes all requests to the IIS server looking for malicious input as defined in the Urlscan.ini configuration file. Rejected requests are logged to the Urlscan.log file located in the same directory as the other Urlscan files.

The Urlscan.ini file holds the key to successful prevention of attacks against the IIS server. The remainder of this article thus focuses on these configurations due to their paramount importance.

The Urlscan.ini file has two main parts: options and implementation. The options part of the file allows the user to enable or disable a particular option while the latter supports the actual configuration of the enabled options.
0
 
LVL 1

Author Comment

by:jimmylew52
ID: 40319228
Thanks btan, that explains enough of what I needed to know. I can now configure either the web.config file or make entries in IIS 7.5 GUI.

For anyone else confused by the IIS 7.5 GUI:     These entries are made here:    Default web site  >  IIS  >  Request Filtering  >  Query Strings tab. Click on Deny Query String, in the Query String box type the string you want to deny.

Typing  ./  in the Query String bos is the same as making this entry in the web.config file:  <add sequence="./" />

<configuration>
  <system.webServer>
    <security>
      <requestFiltering unescapeQueryString="true">
        <denyQueryStringSequences>
          <add sequence="./" />
        </denyQueryStringSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

Since my login url contains  Login.aspx?ReturnUrl=%2f    I am not able to deny  ? or = or %. I tried allowing the sequence and denying the  individual characters but that denied me access to the login page.
0
 
LVL 1

Author Comment

by:jimmylew52
ID: 40319231
In answer to my question. Yes, each character or string of characters has to be added on its own entry in Query Strings not rules like I thought.
0
 
LVL 1

Author Closing Comment

by:jimmylew52
ID: 40319232
Thanks for your patience tban.
0
 
LVL 64

Expert Comment

by:btan
ID: 40319459
thanks for sharing - glad to have helped
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question