stackoom
  简体   繁体   中英

URL rewrite to remove tildes

 原文  2012-11-26 11:56:35       c#/ asp.net/ .net/ iis

Question

During my company's annual security/penetration test, the following problem came up regarding tildes and shortname files for aspx pages:

Here is the white paper on the subject. It looks like a relatively newly discovered vulnerability (the paper is from June 2012) where inserting tildes in the right place in the url allows you to find the shortnames of your aspx files. I'm looking for a way to remove all tildes from a web request made to our website to prevent this.

The white paper suggests upgrading to IIS 7, but that's a major project that can't be completed very quickly. We're using C# .NET 4.0/IIS 6. Anyone with experience here that could point me in the right direction?

1 answers

solution1
 1  2012-11-26 12:29:57

You could just add the following code to global.asax : 

Protected Sub Application_BeginRequest(ByVal sender As Object, ByVal e As System.EventArgs)

    If HttpContext.Current.Request.RawUrl.Contains("~") Then
        'do whatever - eg: stip the ~ or redirect to error page
    End If

End Sub

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Smart way to add and remove URL rewrite rules in C# at runtime? url rewrite : how to remove value from url and make seo friendly url URL Rewrite to remove www and redirect to https using web-config (c# .net) Rewrite rule to redirect URL Disable URL Rewrite rules Url rewrite for subdomain as Username URL Rewrite for one level? Url rewrite in MVC URL rewrite + outputcache URL Rewrite Substring
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM