locked
URLScan RejectResponseUrl not working, getting 403 Forbidden on IIS 7.5 Win2008 RRS feed

  • Question

  • User-1641237345 posted

    Hello.  I have specified a RejectResponseUrl in URLScan (latest version) with UseFastPathReject=0, and I know URLScan is working when I test it, but instead of going to the specified RejectResponseUrl I'm getting the standard IIS 403 Fobidden page.  I can't figure out why.  This is problematic for my security scans because it echoes the dirty URL.  Any ideas?  By the way, there is nothing funky going on with my web.config or how my IIS errors are set up for this site, everything is default.  This is on IIS 7.5 Win2008.  Thanks.

    Friday, June 7, 2013 11:36 AM

All replies

  • User390598869 posted

    Hi

    If this issue still excists ( i may hope not after 8 days) please post your URLSCAN config here. (leave out the sensitive info)

    If the issue is solved please share the solution here because not many IIS7.5 admins use URLSCAN anymore.

    Thanks

    Saturday, June 15, 2013 11:03 AM
  • User-1641237345 posted

    Hi, again.  I have not yet figured out this problem; it has definitely not gone away on its own.  I am still looking for a solution.  Below I have posted my URLScan config.

    Here is an example of the URL I am trying to block and forward to the URLscan.htm script on my root:

    http://whatever.com/..<script>alert(7751)</script>

    This is being caught by the URL scan but I get the default IIS 403 page, which says:

    Forbidden. You don't have permission to access http://whatever.com/URLscan.htm?~/.. on this server.

    Can you see anything going on in my config, or have any ideas, that would prevent my machine from using the RejectResponseUrl?  And by the way, yes, I can see the URLscan.htm page when I access it directly.  That page itself does not have permissions on it or anything like that.

    Thanks.

    P.S.  So if IIS7.5 admins aren't using URLScan any more, what do they use (or what should I be using) to thwart these kinds of scans/attacks?

    [options]
    
    UseAllowVerbs=1                ; If 1, use [AllowVerbs] section, else use the
                                   ; [DenyVerbs] section.   The default is 1.
    
    UseAllowExtensions=0           ; If 1, use [AllowExtensions] section, else
                                   ; use the [DenyExtensions] section. The
                                   ; default is 0.
    
    NormalizeUrlBeforeScan=1       ; If 1, canonicalize URL before processing.
                                   ; The default is 1.  Note that setting this
                                   ; to 0 will make checks based on extensions,
                                   ; and the URL unreliable and is therefore not
                                   ; recommend other than for testing.
    
    VerifyNormalization=1          ; If 1, canonicalize URL twice and reject
                                   ; request if a change occurs.  The default
                                   ; is 1.
    
    AllowHighBitCharacters=0       ; If 1, allow high bit (ie. UTF8 or MBCS)
                                   ; characters in URL.  The default is 0.
    
    AllowDotInPath=1               ; If 1, allow dots that are not file
                                   ; extensions. The default is 0. Note that
                                   ; setting this property to 1 will make checks
                                   ; based on extensions unreliable and is
                                   ; therefore not recommended other than for
                                   ; testing.
    			       ; changed to "1" on 7/21/10 after realizing it was breaking YUI AJAX
    
    RemoveServerHeader=0           ; If 1, remove the 'Server' header from
                                   ; response.  The default is 0.
    
    EnableLogging=1                ; If 1, log UrlScan activity.  The
                                   ; default is 1.  Changes to this property
                                   ; will not take effect until UrlScan is
                                   ; restarted.
    
    PerProcessLogging=0            ; This property is deprecated for UrlScan
                                   ; 3.0 and later.  UrlScan 3.0 and later can
                                   ; safely log output from multiple processes
                                   ; to the same log file.  Changes to this
                                   ; property will not take effect until
                                   ; UrlScan is restarted.
    
    AllowLateScanning=0            ; If 1, then UrlScan will load as a low
                                   ; priority filter.  The default is 0.  Note
                                   ; that this setting should only be used in
                                   ; the case where there another installed
                                   ; filter is modifying the URL and you wish
                                   ; to have UrlScan apply its rules to the
                                   ; rewritten URL.  Changes to this property
                                   ; will not take effect until UrlScan is
                                   ; restarted.
    
    PerDayLogging=1                ; If 1, UrlScan will produce a new log each
                                   ; day with activity in the form
                                   ; 'UrlScan.010101.log'. If 0, UrlScan will
                                   ; log activity to urlscan.log.  The default
                                   ; is 1.  Changes to this setting will not
                                   ; take effect until UrlScan is restarted.
    
    UseFastPathReject=0            ; If 1, then UrlScan will not use the
                                   ; RejectResponseUrl.  On IIS versions less
                                   ; than 6.0, this will also prevent IIS
                                   ; from writing rejected requests to the
                                   ; W3SVC log.  UrlScan will log rejected
                                   ; requests regardless of this setting.  The
                                   ; default is 0.
    
    LogLongUrls=0                  ; This property is deprecated for UrlScan 3.0
                                   ; and later. UrlScan 3.0 and later will
                                   ; always include the complete URL in its log
                                   ; file.
    
    UnescapeQueryString=1          ; If 1, UrlScan will perform two passes on
                                   ; each query string scan, once with the raw
                                   ; query string and once after unescaping it.
                                   ; If 0, UrlScan will only look at the raw
                                   ; query string as sent by the client.  The
                                   ; default is 1. Note that if this property is
                                   ; set to 0, then checks based on the query
                                   ; string will be unreliable.
    
    ;
    ; If UseFastPathReject is 0, then UrlScan will send
    ; rejected requests to the URL specified by RejectResponseUrl.
    ; If not specified, '/Rejected-by-UrlScan' will be used.
    ; Changes to this setting will not take effect until UrlScan
    ; is restarted.
    ;
    ; Note that setting "RejectResponseUrl=/~*" will put UrlScan into Logging
    ; Only Mode.  In this mode, UrlScan will process all requests per the
    ; config settings, but it will only log the results and not actually
    ; reject the requests.  This mode is useful for testing UrlScan settings
    ; on a production server without actually interrupting requests.
    ;
    
    RejectResponseUrl=/URLscan.htm
    
    ;
    ; LoggingDirectory can be used to specify the directory where the
    ; log file will be created.  This value should be the absolute path
    ; (ie. c:\some\path).  If not specified, then UrlScan will create
    ; the log in the same directory where the UrlScan.dll file is located.
    ; Changes to this setting will not take effect until UrlScan is
    ; restarted.
    ;
    
    LoggingDirectory=Logs
    
    ;
    ; If RemoveServerHeader is 0, then AlternateServerName can be
    ; used to specify a replacement for IIS's built in 'Server' header
    ;
    
    AlternateServerName=
    
    ;
    ; UrlScan supports custom rules that can be applied in addition to the other
    ; checks and options specified in this configuration file.  Rules should be
    ; listed in a comma separated string in the RuleList property.  Each rule in
    ; the list corresponds to two sections in this configuration file, one
    ; containing the options for the rule, and one containing deny strings for
    ; the rule.
    ;
    ; Here is an example:
    ;
    ;   [Options]
    ;   RuleList=Rule1
    ;
    ;   [Rule1]
    ;   AppliesTo=.exe,.dll        ; A comma separated list of file extensions to
    ;                              ; which the rule applies.  If not specified,
    ;                              ; the rule will be applied to all requests.
    ;
    ;   DenyDataSection=Rule1 Data ; The name of the section containing the
    ;                              ; rule's deny strings
    ;
    ;   ScanURL=0                  ; If 1, the URL will be scanned for deny
    ;                              ; strings. The default is 0.
    ;
    ;   ScanAllRaw=0               ; If 1, then the raw request header data will
    ;                              ; be scanned for deny strings.  The default
    ;                              ; is 0.
    ;
    ;   ScanQueryString=0          ; If 1, the the query string will be scanned
    ;                              ; for deny strings.  The default is 0.  Note
    ;                              ; that if UnescapeQueryString=1 is set in the
    ;                              ; [Options] section, then two scans will be
    ;                              ; made of the query string, one with the raw
    ;                              ; query string and one with the query string
    ;                              ; unescaped.
    ;
    ;   ScanHeaders=               ; A comma separated list of request headers to
    ;                              ; be scanned for deny strings.  The default is
    ;                              ; no headers.
    ;
    ;   DenyUnescapedPercent=0     ; If 1, UrlScan will scan the specified part
    ;                              ; of the raw request for a % character that is
    ;                              ; not used as an escape sequence.  If found,
    ;                              ; the request will be rejected.  This check
    ;                              ; can be used with ScanQueryString=1,
    ;                              ; ScanAllRaw=1, or the list of ScanHeaders.
    ;                              ; The default is 0.  Note that if you want to
    ;                              ; deny non-escaped % characters in the URL,
    ;                              ; you can set VerifyNormalization=0 in the
    ;                              ; [Options] section and then add % as a
    ;                              ; [DenyUrlSequences] entry.
    ;
    ;   [Rule1 data]
    ;   string1
    ;   string2
    ;
    
    RuleList=
    
    [RequestLimits]
    
    ;
    ; The entries in this section impose limits on the length
    ; of allowed parts of requests reaching the server.
    ;
    ; It is possible to impose a limit on the length of the
    ; value of a specific request header by prepending "Max-" to the
    ; name of the header.  For example, the following entry would
    ; impose a limit of 100 bytes to the value of the
    ; 'Content-Type' header:
    ;
    ;   Max-Content-Type=100
    ;
    ; Any headers not listed in this section will not be checked for
    ; length limits.
    ;
    ; There are 3 special case limits:
    ;
    ;   - MaxAllowedContentLength specifies the maximum allowed
    ;     numeric value of the Content-Length request header.  For
    ;     example, setting this to 1000 would cause any request
    ;     with a content length that exceeds 1000 to be rejected.
    ;     The default is 30000000.
    ;
    ;   - MaxUrl specifies the maximum length of the request URL,
    ;     not including the query string. The default is 260 (which
    ;     is equivalent to MAX_PATH).
    ;
    ;   - MaxQueryString specifies the maximum length of the query
    ;     string.  The default is 2048.
    ;
    
    MaxAllowedContentLength=30000000
    MaxUrl=260
    MaxQueryString=2048
    
    [AllowVerbs]
    
    ;
    ; The verbs (aka HTTP methods) listed here are those commonly
    ; processed by a typical IIS server.
    ;
    ; Note that these entries are effective if "UseAllowVerbs=1"
    ; is set in the [Options] section above.
    ;
    
    GET
    HEAD
    POST
    
    [DenyVerbs]
    
    ;
    ; The verbs (aka HTTP methods) listed here are used for publishing
    ; content to an IIS server via WebDAV.
    ;
    ; Note that these entries are effective if "UseAllowVerbs=0"
    ; is set in the [Options] section above.
    ;
    
    PROPFIND
    PROPPATCH
    MKCOL
    DELETE
    PUT
    COPY
    MOVE
    LOCK
    UNLOCK
    OPTIONS
    SEARCH
    
    [DenyHeaders]
    
    ;
    ; The following request headers alter processing of a
    ; request by causing the server to process the request
    ; as if it were intended to be a WebDAV request, instead
    ; of a request to retrieve a resource.
    ;
    
    Translate:
    If:
    Lock-Token:
    Transfer-Encoding:
    
    [AllowExtensions]
    
    ;
    ; Extensions listed here are commonly used on a typical IIS server.
    ;
    ; Note that these entries are effective if "UseAllowExtensions=1"
    ; is set in the [Options] section above.
    ;
    
    .cfm
    .cfc
    .htm
    .html
    .txt
    .jpg
    .jpeg
    .gif
    .png
    
    [DenyExtensions]
    
    ;
    ; Extensions listed here either run code directly on the server,
    ; are processed as scripts, or are static files that are
    ; generally not intended to be served out.
    ;
    ; Note that these entries are effective if "UseAllowExtensions=0"
    ; is set in the [Options] section above.
    ;
    ; Also note that ASP scripts are denied with the below
    ; settings.  If you wish to enable ASP, remove the
    ; following extensions from this list:
    ;    .asp
    ;    .cer
    ;    .cdx
    ;    .asa
    ;
    
    ; Deny executables that could run on the server
    .exe
    .bat
    .cmd
    .com
    
    ; Deny infrequently used scripts
    .htw     ; Maps to webhits.dll, part of Index Server
    .ida     ; Maps to idq.dll, part of Index Server
    .idq     ; Maps to idq.dll, part of Index Server
    .htr     ; Maps to ism.dll, a legacy administrative tool
    .idc     ; Maps to httpodbc.dll, a legacy database access tool
    .shtm    ; Maps to ssinc.dll, for Server Side Includes
    .shtml   ; Maps to ssinc.dll, for Server Side Includes
    .stm     ; Maps to ssinc.dll, for Server Side Includes
    .printer ; Maps to msw3prt.dll, for Internet Printing Services
    
    ; Deny various static files
    .ini     ; Configuration files
    .log     ; Log files
    .pol     ; Policy files
    .dat     ; Configuration files
    .config  ; Configuration files
    
    [AlwaysAllowedUrls]
    ;
    ; URLs listed here will always be explicitly allowed by UrlScan
    ; and will bypass all UrlScan checks.  URLs must be listed
    ; with a leading '/' character.  For example:
    ;
    ;   /SampleURL.htm
    ;
    
    [DenyUrlSequences]
    ;
    ; If any character sequences listed here appear in the URL for
    ; any request, that request will be rejected.
    ;
    
    ..  ; Don't allow directory traversals
    ./  ; Don't allow trailing dot on a directory name
    \   ; Don't allow backslashes in URL
    :   ; Don't allow alternate stream access
    %   ; Don't allow escaping after normalization
    <   ; added 8/6/13 to foil appscanners
    ;&  ; commented out 7/7/10, was causing problems
    
    [AlwaysAllowedQueryStrings]
    ;
    ; Query strings listed here will always be explicitly allowed by
    ; UrlScan and will bypass all query string based checks.
    ;
    
    
    [DenyQueryStringSequences]
    ;
    ; If any character sequences listed here appear in the query
    ; string for any request, that request will be rejected.
    ;
    
    javascript 	; added 7/7/10 to foil appscanners
    onError 	; added 7/12/10 to foil appscanners
    onLoad 		; added 7/12/10 to foil appscanners
    onUnload 	; added 7/12/10 to foil appscanners
    onFocus 	; added 7/12/10 to foil appscanners
    onBlur 		; added 7/12/10 to foil appscanners
    onChange 	; added 7/12/10 to foil appscanners
    onSubmit 	; added 7/12/10 to foil appscanners
    onMouseOver 	; added 7/12/10 to foil appscanners
    onMouseOut 	; added 7/12/10 to foil appscanners
    onClick		; added 7/30/13 to foil appscanners
    expression(alert ; added 7/26/13 to foil appscanners
    style= 		; added 7/29/13 to foil appscanners
    \ 		; added 7/29/13 to foil appscanners
    
    
    <   ; Commonly used by script injection attacks
    >   ; Commonly used by script injection attacks
    
    Tuesday, August 6, 2013 3:15 PM
  • User-1641237345 posted

    Any ideas?  Still looking for a solution.  Hard to believe I'm the only person with this question!  Thanks.

    Tuesday, August 20, 2013 3:18 PM
  • User52160103 posted
    Hi, I know I’m a bit late. But did you manage to resolve it? I’m facing the same issue right now.
    Wednesday, May 22, 2019 1:23 PM