Reputation: 4039
How to Fix HTTP Request Smuggling on IIS
In my ASP.NET MVC application, I want to resolve the HTTP Request Smuggling Vulnerability issue.
I thought it would be sufficient if I blocked the requests which have a Transfer-Encoding: chunked header. In the IIS administration menu, I added a new Request Filtering rule for this. However that does not seem to fix it.
I wrote little .NET code to test if IIS generates a 404 error when chunked content is sent. When I add the transfer encoding header 1 time to my test client code as below, I do NOT receive 404—I receive 200.
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
Interestingly, if I add the header 2 times (I mean duplicate it) like
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
httpRequest.Headers.Add("Transfer-Encoding", "chunked");
The filtering rule applies, and I receive 404 as I expected.
How can I fix it?
Upvotes: 2
Views: 9257
Answers (1)
Reputation: 9323
A few months later, Microsoft added a patch wherein you can disable request smuggling with a registry key.
- Click Start, click Run, type
Regeditin the Open box, and then click OK.- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters- Set
DWORDtype valueDisableRequestSmugglingto one of the following:
- Set to 0 to disable the filter
- Set to 1 to enable the filter
- Exit Registry Editor.
- Restart the computer.
Upvotes: 2
Related Questions
- Seeking source of Http Response Headers in MVC application
- How to remove ASP.Net MVC Default HTTP Headers?
- IIS 10.0 adding disallowed headers to responses on API calls
- Header servers are not removed in asp.net mvc
- ASP.NET Web Api HttpResponseException 400 (Bad Request) Hijacked by IIS
- Wrangling Control of HTTP Headers in ASP.NET
- Chrome/Safari/Edge/Postman Http Header very strange behaviour
- blocking HEAD requests to my site
- MVC4 Request headers
- ASP.NET MVC 3: Server cannot append header after HTTP headers have been sent