This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 80%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC2%3C/text%3E%3C/svg%3E)
My client got a website and right now doing the penetration test. However my test keep failed on the windows short file disclosure issue. You can refer the link as i posted https://forums.iis.net/p/1248972/2158325.aspx?Re+IIS+Custom+Error+Page+not+working+for+
Each time enter https://www.website.com/*~1, my application will return Error 404 instead of custom error page. My client is using Azure VM Server 2012R2 and running IIS 8.5 at the moment.
I've tried the following:
1. Deny URL sequence with "~" in Request Filtering in IIS.
2. Used URL rewrite with pattern (^[^\?]\~.\?.$)|(^[^\?]\~.*$), action: Abort Request
3. Tried URLScan 3.1 but seem no more working for IIS 8.5.
4. Tried with new project and create only 1 html file for test.
5. Disabled NtfsDisable8dot3NameCreation under registry.
6. Scanned c:\inetpub and there is 0 window short file name.
7. Run windows update
All above with no luck. If you got better solution,
You can use the command fsutil behavior query disable8dot3 to verify the current status.