WebResource.axd giving 403 error in ASP.Net Post backs using IIS7

Question

I installed a ASP.Net website on a Windows 2008 server, which is by default using IIS7. The website seems to work fine, but the post backs on my forms do not work. After a few hours of debugging, I realized that when I manually try to hit the WebResource.axd file in my browser (e.g. I type http://www.domain.com/WebResource.axd in the address bar), I get a HTTP 403 error (Access Denied).

I'm not quite sure where to look next and my Windows 2008 security knowledge is limited. How do I go about giving access to that file?

Answer 1

For hosting companies that have Plesk control panel, you can turn off the Web Application Firewall (WAF), but since purpose of WAF is to help protect your website from various attacks you should only deactivate the specific Rule IDs that are causing the issue. In my case, I needed to allow .axd files on my website (eg, Scriptresource.axd and WebResource.axd).

1. Identify this specific Rule ID that is being violated by opening the "ModSecurity Logfile" on the Plesk WAF page.

2. Search for the 403 Access Denied message in the logfile and then look for a substring that looks like [id "942440"]. This is the rule ID that is being violated.

3. Switch off the "Security Rule" that applies to this issue, by typing the ID number in the "Switch off Security Rules" section on the Plesk WAF page. In this example, you would type just the numbers "920440" inside the text box.

Answer 2

If you are using plesk panel or Web Application Firewall (ModSecurity) is active, disable "OWASP_CRS / LEAKAGE / ERRORS_IIS" and "OWASP_CRS / POLICY / EXT_RESTRICTED" security rules.

Answer 3

There is a issue in Firewall setting. Request is blocked in Firewall. contact server admin to change configuration. We got solution.

Answer 4

Navigate to your iis config folder. Typically: c:\windows\system32\inetsrv\config and open applicationHost.config file. Then within file navigate to the <handlers> section and check that following line is present:

<add name="AssemblyResourceLoader-Integrated" path="WebResource.axd" verb="GET,DEBUG" type="System.Web.Handlers.AssemblyResourceLoader" preCondition="integratedMode" />

That is if you're running in integrated mode. Check that verb GET is specified.

If you are running in classic pipeline mode that this line should be present

<add name="AXD-ISAPI-2.0" path="*.axd" verb="GET,HEAD,POST,DEBUG" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv2.0,bitness32" responseBufferLimit="0" />

If everything seems to be ok than look at your web.config in Handlers and Modules section and see if you have added <clear /> on the top of each. If you did then you have include add section in your web.config file respecting the order in of the handlers/modules specified in applicationHosting.config file.

Answer 5

Not sure on that one, but it may be related to http compression in IIS. Also check that the file is accessible to the IIS User.

Answer 6

This is the error that I'm getting when doing a Postback:

WebForm_PostBackOptions is undefined.

To my knowledge that function is contained inside the WebResource.axd file, which led me to try it in the address bar, which how I know about the 403 error...

Answer 7

Check your IIS logs - they should give a status code that has more detailed information about the error. Also, what is the nature of the error on the postback?