Update on ASP.NET Vulnerability : ASP Alliance

Print Add To Favorites Email To Friend Rate This Article
Update on ASP.NET Vulnerability

page 3 of 5

by Scott Guthrie
Feedback

Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 23669/ 45

Article Contents:

Install and Enable IIS URLScan with a Custom Rule

If you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:

x86 Version

x64 Version

It takes less than a minute to install on your server.

Add an Addition URL Scan Rule

Once URLScan is installed, please open and modify the UrlScan.ini file in this location:

%windir%\system32\inetsrv\urlscan\UrlScan.ini

Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:

[DenyQueryStringSequences]

aspxerrorpath=

The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.

After saving this change, run “iisreset” from a command prompt (elevated as admin) for the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.

« (Page 2)

View Entire Article

(Page 4) »

User Comments

No comments posted yet.

Product Spotlight