Request filtering does not work properly in IIS 10

Anoosh Saghiri 21

To prevent path traversal attack, I add some settings in in request filtering (in Rule and URL tabs) but they does not work properly.
For example I add ".." in "Deny String" and in "Deny Sequence" but IIS accept it (e.g. ../../css/test.txt).
Also I add "/../.*" in "Block Request Rule" in URL rewrite, but it does not work too.

Is there anything wrong in my settings?

Sam Wu-MSFT 7,036 Reputation points Microsoft Vendor

2023-01-09T02:16:27.937+00:00

@Anoosh Saghiri

It is difficult to reproduce your problem based on your description, can you give an example of the problem you're having? better share what you tried.
Anoosh Saghiri 21 Reputation points

2023-01-09T04:11:35.707+00:00

Reproducing this problem needs another software like Burp Suit to change the Get command (I couldn't produce it with the browser).
When my web site wants to get a resource like an icon the Get command can be like this "Get /content/img/x.icon". In Burp Suit, we can change this to "Get /content/img/x.icon/../../txt/y.txt" and IIS return the content of y.txt file.
To prevent this (because this Get command is not in my controllers), I have tried to set some parameters in IIS. So, in Request Filtering and URL Rewrite, there are some settings, like Deny Sequence, Deny String and Block Request that must prevent the execution of that Get command that has something like ".." (which is set to prevent!). But there is no good result and IIS return that file.

Accepted answer

Lex Li (Microsoft) 4,662 Reputation points Microsoft Employee

2023-01-09T07:09:42.13+00:00

While you claimed "reproducing this problem", please open the IIS log files (or FRT) for this site and show us what are the URLs recorded. Since parent path traversing has been known as a bad thing for decades, you will be surprised to see that everywhere along the HTTP request processing path has certain ways to remove such harmful dots, so IIS might not even receive the dots to trigger any action you configured.
Please sign in to rate this answer.

1 person found this answer helpful.
Anoosh Saghiri 21 Reputation points

2023-01-09T09:46:36.913+00:00

Thank you.

It's true that IIS might not even receive the dots to trigger any action. I saw it in IIS log files the there were not any harmful dots.
But there is a problem and a question about the below command:

Get /content/img/x.icon/../../txt/y.txt

The problem is IIS receive this "/content/txt/y.txt" and sends the y.txt to the sender. How can I prevent this?
The question is who replace the ".." with the folder name?

Lex Li (Microsoft) 4,662 Reputation points Microsoft Employee

2023-01-09T09:51:50.487+00:00

Based on my testing, a lot of HTTP clients manipulate the paths to remove the dots before sending out the requests. They are, curl command line tool, PowerShell curl cmdlet, browsers, and .NET HTTP related classes. And there can be more.
Sign in to comment

Request filtering does not work properly in IIS 10

0 additional answers