[英]How to Fix HTTP Request Smuggling on IIS
In my ASP.NET MVC application, I want to resolve HTTP Request Smuggling Vulnerability issue.在我的 ASP.NET MVC 应用程序中,我想解决 HTTP 请求走私漏洞问题。
I thought it would be sufficient if I blocked the requests which has "Transfer-Encoding: chunked" header.我认为如果我阻止具有“传输编码:分块”标头的请求就足够了。 On IIS administation menu, I added new Request Filtering rule for this.
在 IIS 管理菜单上,我为此添加了新的请求过滤规则。 However that does not seem to fix.
然而,这似乎并没有解决。
I wrote little .NET code to test if IIS generates 404 error when chunked content is sent.我编写了很少的 .NET 代码来测试 IIS 在发送分块内容时是否生成 404 错误。 When I add the transfer encoding header 1 time to my test client code as below, I do NOT receive 404, I receive 200.
当我将传输编码标头 1 次添加到我的测试客户端代码中时,如下所示,我没有收到 404,我收到了 200。
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
Interestingly, I add the header 2 times (I mean duplicate it) as有趣的是,我将标题添加了 2 次(我的意思是复制它)作为
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
The filtering rule applies and I receive 404 as I expected.过滤规则适用,我按预期收到 404。
How can I fix it?我该如何解决?
A few months later, Microsoft added a patch wherein you candisable request smuggling with a registry key .几个月后,微软添加了一个补丁,您可以在其中禁用使用注册表项的请求走私。
- Click Start, click Run, type
Regedit
in the Open box, and then click OK.单击开始,单击运行,在打开框中键入
Regedit
,然后单击确定。- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\HTTP\\Parameters
找到并单击以下注册表子项:
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\HTTP\\Parameters
- Set
DWORD
type valueDisableRequestSmuggling
to one of the following:将
DWORD
类型值DisableRequestSmuggling
设置为以下之一:
- Set to 0 to disable the filter
设置为 0 以禁用过滤器
- Set to 1 to enable the filter
设置为 1 以启用过滤器
- Exit Registry Editor.
退出注册表编辑器。
- Restart the computer.
重新启动计算机。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.