如何修复 IIS 上的 HTTP 请求走私
[英]How to Fix HTTP Request Smuggling on IIS
问题描述
In my ASP.NET MVC application, I want to resolve HTTP Request Smuggling Vulnerability issue.
在我的 ASP.NET MVC 应用程序中,我想解决 HTTP 请求走私漏洞问题。
I thought it would be sufficient if I blocked the requests which has "Transfer-Encoding: chunked" header.我认为如果我阻止具有“传输编码:分块”标头的请求就足够了。 On IIS administation menu, I added new Request Filtering rule for this.在 IIS 管理菜单上,我为此添加了新的请求过滤规则。 However that does not seem to fix.然而,这似乎并没有解决。
I wrote little .NET code to test if IIS generates 404 error when chunked content is sent.我编写了很少的 .NET 代码来测试 IIS 在发送分块内容时是否生成 404 错误。 When I add the transfer encoding header 1 time to my test client code as below, I do NOT receive 404, I receive 200.当我将传输编码标头 1 次添加到我的测试客户端代码中时,如下所示,我没有收到 404,我收到了 200。
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
Interestingly, I add the header 2 times (I mean duplicate it) as有趣的是,我将标题添加了 2 次(我的意思是复制它)作为
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
The filtering rule applies and I receive 404 as I expected.过滤规则适用,我按预期收到 404。
How can I fix it?我该如何解决?
1 个解决方案
解决方案1
0 2021-02-24 20:06:27
A few months later, Microsoft added a patch wherein you candisable request smuggling with a registry key .几个月后,微软添加了一个补丁,您可以在其中禁用使用注册表项的请求走私。
- Click Start, click Run, type
Regeditin the Open box, and then click OK.Regedit,然后单击确定。- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\HTTP\\ParametersHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\HTTP\\Parameters- Set
DWORDtype valueDisableRequestSmugglingto one of the following:DWORD类型值DisableRequestSmuggling设置为以下之一:
- Set to 0 to disable the filter
- Set to 1 to enable the filter
- Exit Registry Editor.
- Restart the computer.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.