IISShield and ASP.NET canonicalization
From: Tiago Halm (thalm_at_HOTMAIL.COM)
Date: Wed, 13 Oct 2004 20:20:03 +0100 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
A lot of fuzz has come around the canonicalization issue found with IIS and
ASP.NET forms authentication. One of the main worries has been if IISShield
is an effective measure to prevent this kind of exploit.
So, is it effective? Yes!
Since ISAPI Filters will be the main topic, here goes. ISAPI Filters have
several notifications to which they can subscribe and these notifications
are the various steps through which an Http Request goes through before
reaching the intended script map ISAPI Extension to which it is destined.
Each ISAPI Filter installed in IIS has a chance to do something (parse,
modify) to the contents of that Http Request (each ISAPI gets a chance to
its own thing in the exact order they are installed in IIS).
Only after the ISAPI Filters process the pre-execution notifications, is
when IIS delivers the Http Request to the appropriate script map ISAPI
Extension. ASP.NET, with its associated extensions - aspx, asax, ashx,
etc.., is handled by one of those ISAPI Extensions called
(IIS5). In IIS6, the ISAPI Extension of ASP.NET has another name I do not
recall right now. These extensions deal with all the details of the ASP.NET
execution request. After ASP.NET terminates the processing of the Http
Request, it then delivers it the ISAPI Filters "kingdom" again. And now, the
Http Response (now its called response, since it is an answer to a request)
must then travel through the post-execution notifications where again the
ISAPI Filters have their opportunity to parse/modify the Http Response.
So, every Http Request reaching IIS goes through the ISAPi Filter
notifications where there is an opportunity to parse the request.
KodeIT IISShield reliably protects IIS from any encoding attempt of a URL be
- Hexadecimal escape codes
- UTF-8 variable-width encoding
- UCS-2 Unicode encoding
- Double encoding
KodeIT Development Team
--- [This E-mail has been scanned for viruses but it is your responsibility to maintain up to date anti virus software on the device that you are currently using to read this email. ] -- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --