In my ASP.NET MVC application, I want to resolve the HTTP Request Smuggling Vulnerability issue.
I thought it would be sufficient if I blocked the requests which have a Transfer-Encoding: chunked header. In the IIS administration menu, I added a new Request Filtering rule for this. However that does not seem to fix it.
I wrote little .NET code to test if IIS generates a 404 error when chunked content is sent. When I add the transfer encoding header 1 time to my test client code as below, I do NOT receive 404—I receive 200.
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
Interestingly, if I add the header 2 times (I mean duplicate it) like
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
The filtering rule applies, and I receive 404 as I expected.
How can I fix it?
A few months later, Microsoft added a patch wherein you can disable request smuggling with a registry key.
Click Start, click Run, type Regedit in the Open box, and then click OK.
Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
Set DWORD type value DisableRequestSmuggling to one of the following:
Set to 0 to disable the filter
Set to 1 to enable the filter
Exit Registry Editor.
Restart the computer.
Related
I have an IIS 10.0 server, and I'm seeing that some disallowed headers [Pragma, Expires] are still getting added, but they are only being added to API endpoints, not when static content is getting retrieved. These headers are not being set in the code. I've followed the recommended approach to remove the headers from IIS (adding the remove element to configuration\system.webServer\httpProtocol\customHeaders), and when debugging, I do not see these headers in the HTTP response before it gets sent back to the caller. I would like to remove these headers from the response, but have no idea how to figure out where they are being set. Any pointers?
To extend the comment above.
The key to troubleshoot such issues is to know the source of such headers, so enabling Failed Request Tracing is the quickest way.
If you find that the headers (such as ASP.NET and so on) are set by IIS default modules, you know that you should refer to IIS documentation to locate the settings and turn them off.
In your case, FRT reveals the headers come from a third party module, so you will need to check what settings the vendor provides in documentation.
Note that even if you cannot find vendor settings to turn them off, you might still be able to remove them in several ways such as removing such headers in URL Rewrite outbound rules.
I have a server / client project, both written in dart. Now my server starts on port 1337 and when I run my client with the Run in dartium, my static files are served on port 3030 which allows me to debug my client code in the Dart editor.
The problem is that this causes CORS when using AJAX calls. I have properly setup my server to accept other origins (with Access-Control-Allow-Origin) but, for example, cookies aren't sent along.
Now I'm wondering: is there a way to serve my files with my server (running on 1337) and still have the possibility to debug the client side code in the dart editor?
My understanding is that you can debug, but the real problem is that you don't get the expected data back from the server due to missing cookies.
Standard CORS requests do not send or set any cookies by default.
In order to include cookies as a part of the request, besides setting up the server, you need to specify withCredentials property, e.g.:
HttpRequest.getString(url, withCredentials:true)...
You will also need to setup server to provide Access-Control-Allow-Credentials header.
EDIT: it seems that additional issue is that you don't want to have 2 servers, each serving different part of app.
In that case, you can configure DartEditor to launch the URL, instead of files. Go to Run > Manage Launches and add create a new Dartium or Dart2JS launch with specified URL and source directory.
Another option is to select Run > Remote Connection and attach to a running instance of browser or Dart VM.
Caveat: I haven't tried these options, so I can't tell how stable they are.
I am trying to perform a load test with JMeter on my ASP.NET MVC website that I have published on IIS..
My problem is..I'm confused about what URL pattern should I include or exclude..Currently, URL is immaterial for me, so I tried with '.* ' in URL to include and nothing in URL to exclude.. But JMeter is recording only a jpg url...If I specify '.*\.jpg ' in exclude, it records nothing. I also tried '.*\.aspx ' in include and nothing in exclude, but that doesn't seem to be working either :(
Is this something MVC specific? I am not very sure how it handles urls..(I am doing all this for the first time..). I otherwise didn't have any issues recording steps on other servers like google,apache.jmeter.test etc. where there were normal html pages with my current JMeter settings:
A Thread Group called 'Users' having a
Recording Controller
HTTP request defaults pointing to localhost:9080
A Workbench with
HTTP Proxy Server pointing to localhost:9080
My connection setting is also on localhost:9080.
I'm running JMeter from behind my company's proxy server successfully.
Thanks for any help :)
Realized later that it was not about URLs as such. My browser setting was probably faulty. I was using IE8..When I switched to Firefox, got more fine-grained control on the settings..These settings before recording worked for me:
Set manual proxy configuration to localhost,8081.
Check 'Use this proxy for all protocols'
Leave 'No proxy for' field blank
No 'Automatic proxy configuration'
Click OK.
After this if you try to access your site on IIS while JMeter proxy server hasn't started yet, it wouldn't, saying the connection was refused.
After this, go to JMeter and click the Start button to record. Try acessing the site again. It should come up :) Some more details:
There was no need to specify port number in HTTP request defaults. Just specified it in HTTP proxy server (8081 in my case).
For the session information to be saved properly, you must use a cookie manager (preferably, keep it at the top)..When you record, you get a HTTP header manager under each HTTP request if you had ticked the chekcbox against "Capture HTTP headers" in HTTP Proxy Server before recording..Copy this and add it as a child under your thread group.
Hope this helps someone struggling like me :)
I'm in Internet Explorer 8, using MVC 1 and IIS 7.
I have an action on a controller which serves up an excel file.
I go to the action, a dialog pops up asking if I want to save or open the file, and I select open.
Then Excel makes a HEAD request to the server, followed by opening up a password prompt, then goes up a directory and makes an OPTIONS request, followed by 5 PROPFIND requests. Then if I cancel the password prompt, the excel document opens fine, and makes one final HEAD request to the original directory.
What is going on, and how do I stop it? Can I do something in global.asax or my web.config to mass block all these HEAD/OPTIONS/PROPFIND requests that excel is making? I don't have access to make changes to the web server.
This occurs in office documents where the microsoft programs try to open the file from the server itself. It then tries to authenticate and sends requests such as OPTIONS and PROPFIND to get the server type and tool available to do live editing and updating the local copy from the server, etc. Basically, its done for synchronization.
How do you stop it? no idea, probably have to look at the settings in your local excel tool.
How do you block specific requests in global.ascx? Whats the advantage of blocking it instead of just leaving it, its not like your application is using the request anyways. I'd like to see an answer for this though.
There is this one action that is requested using javascript during the loading of a page, it takes over 25 seconds to resolve. Looking at the code makes me think there is a scaling issue, but I am wondering if there is any way I can step through the code during the request so I can see what is happening. I try clicking 'debug/start debugging' but it won't launch the proper URL (access to the site is subdomain based), and it will also not find certain dependencies. I am able to browse the site directly via URL locally after mapping a URL via my hosts file to localhost (127...) but the default url that pops up (localhost...) from debug does not work because it is not formatted properly.
Any ideas?
You can attach the debugger to your browser by selecting "Attach to process" under "Debug" menu.
In the past, at least with ASP.NET we have used tracing to debug issues. You will just need to enable it in the webconfig. If you use warn, the messages will show in red and be easier to spot.