Update on ASP.NET Vulnerability
page 3 of 5
by Scott Guthrie
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 23605/ 87

Install and Enable IIS URLScan with a Custom Rule

If you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:

x86 Version

x64 Version

It takes less than a minute to install on your server. 

Add an Addition URL Scan Rule

Once URLScan is installed, please open and modify the UrlScan.ini file in this location:

%windir%\system32\inetsrv\urlscan\UrlScan.ini

Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section.  Add an additional “aspxerrorpath=” entry immediately below it and then save the file:

[DenyQueryStringSequences]

aspxerrorpath=

The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error.  Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.

After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect.  To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.


View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2022 ASPAlliance.com  |  Page Processed at 2022-10-06 2:28:58 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search