WebApp Sec mailing list archives
RE: Double Slashes
From: "Auri Rahimzadeh" <Auri () auri net>
Date: Thu, 4 Aug 2005 09:35:24 -0500
Forgot to add... you could also encrypt your additional text and decrypt it on the error message.. For example, if you're trying to pass data such as http://site.com/param/param//param In ASP.NET you can set a global error handling page in the web.config and handle the 404 (file not found) error in a Redirect.aspx page (name doesn't matter, whatever you decide on in your web.config), parse your URL after http://site.com/ and redirect appropriately.. Best, -Auri ---------- Original Message ---------------------------------- From: "Auri Rahimzadeh" <Auri () auri net> Reply-To: <Auri () auri net> Date: Thu, 4 Aug 2005 09:30:49 -0500
You could also try a few other techniques, especially if URLScan or some similar URL monitor isn't running (altho you *should* have one running!): * Escaping the // as %2F%2F * Using something other than backslashes to signify a path, list separator, etc. (such as using | or ~~ or something that isn't used for filepaths) Best, -Auri Author Geek My Ride (available at Amazon and most bookstores!) www.GeekMyRide.net ---------- Original Message ---------------------------------- From: "Andres Molinetti" <andymolinetti () hotmail com> Date: Thu, 04 Aug 2005 14:20:31 +0000This IIS has no URLScan running. That's the odd thing. Therefore I think it may have been a patch or something. What I need is a way that the server doesn't strip my slashes and let me send an url like this "www.example.com/dir//page.asp". Any ideas?From: "Auri Rahimzadeh" <Auri () auri net> Reply-To: <Auri () auri net> To: 'Andres Molinetti' <andymolinetti () hotmail com>, <pen-test () securityfocus com>, Jeff Robertson <Jeff.Robertson () DigitalInsight com> CC: <webappsec () securityfocus com> Subject: RE: Double Slashes Date: Thu, 4 Aug 2005 08:58:11 -0500 Look at URLScan and the IIS Locktown Utility. Just search for it at Microsoft's web site. Best, -Auri Author "Geek My Ride" (available at Amazon and most bookstores!) www.GeekMyRide.net ---------- Original Message ---------------------------------- From: Jeff Robertson <Jeff.Robertson () DigitalInsight com> Date: Thu, 4 Aug 2005 09:45:11 -0400This is very similar to what is being talked about wrt to Apache in the thread of messaeges called "Heavy Security Issue" today. Maybe IIS had something similar, and this is how they fixed it. -----Original Message----- From: Andres Molinetti [mailto:andymolinetti () hotmail com] Sent: Thursday, August 04, 2005 9:30 AM To: pen-test () securityfocus com Cc: webappsec () securityfocus com Subject: Double Slashes Is there anyway to encode a "//" in a GET request to an .ASP page in IIS5.0(patched up2date) For example.. GET /dir1//dir2.asp HTTP/1.0 IIS seems to convert to a single slash the following ones: // \\ /./ /../ ///////// ... Not sure if it is some fix to old unicode and double enconding bugs. Regards, Andy _________________________________________________________________ ¿Estás pensando en cambiar de coche? Todas los modelos de serie y extrasenMSN Motor. http://motor.msn.es/researchcentre/_________________________________________________________________ Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor & Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349
Current thread:
- Double Slashes Andres Molinetti (Aug 04)
- <Possible follow-ups>
- RE: Double Slashes Jeff Robertson (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- RE: Double Slashes Andres Molinetti (Aug 04)
- RE: Double Slashes Jeff Robertson (Aug 04)
- RE: Double Slashes Andres Molinetti (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- RE: Double Slashes Auri Rahimzadeh (Aug 04)
- Re: Double Slashes Steven M. Christey (Aug 04)
- RE: Double Slashes Kyle Quest (Aug 05)