Skip to main content

IIS Request Filtering to block HTTP Verbs (For example Trace)

The issue

Request Filtering is a built-in security feature that was introduced in Internet Information Services (IIS) 7.0. This can be used to block specific verbs like "Trace".

When request filtering blocks an HTTP request, IIS 7 will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied. Verb Denied.

HTTP Substatus Description
404.5 URL Sequence Denied
404.6 Verb Denied
404.7 File Extension Denied
404.8 Hidden Namespace
404.1 Request Header Too Long
404.11 URL Double Escaped
404.12 URL Has High Bit Chars
404.13 Content Length Too Large
404.14 URL Too Long
404.15 Query String Too Long
404.18 Query String Sequence Denied
404.19 Denied by Filtering Rule

How to block

To block specific verbs, all you need to do is modify your web.config and under <system.webServerà <securityadd the following:
<requestFiltering>
    <verbs applyToWebDAV="false">
         <add verb="TRACE" allowed="false" />
    </verbs>
</requestFiltering>

OR

Step 1: Open IIS Manager
Step 2: Navigate to site & look for "Request Filtering"
Step 3: Navigate to HTTP Verbs & Deny TRACE

Verification of the issue (when bound to 443 over https)

Here we will attempt to check if the HTTP Trace method has been disabled on IIS.
  1. To complete this step you will need a machine with openssl. 
  2. You will need to log into the machine from step a using putty or an equivalent terminal. 
  3. Create a connection to the secure server via openssl using s_client 
    openssl s_client -connect dev.server.supportpoint.com:443 -servername dev.server.supportpoint.com -host dev.server.supportpoint.com -port 443
  4. Next mimic a TRACE connection

    by entering:
    TRACE /  HTTP/1.0
    Connection: dev.server.supportpoint.com 
  5. As you can notice here, the result returned is 404. 
  6. Check the IIS Access Logs for 404.6 (When request filtering blocks an HTTP request, IIS 7 will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied. In our case, 404.6 is Verb Denied)
    1. Find the Application Id
      1. Go to the IIS Manager
      2. Right-click your site à Manage Website à Advanced Settings 
      3. Your ID is an integer value

    2. Navigate to logs directory & open last modified log file
      1. Go to %SystemDrive%\inetpub\logs\LogFiles
      2. Then find the folder based on your Application ID. 
        1. If your ID is 1, then go to W3SVC1. 
        2. If your ID is 2, then go to W3SVC2. 
        3. … and so on
      3. Open the Last Modifed Log file
    3. Search the log file for your TRACE request.
    4. You should now be able to see that the error logged is 404.6 

Comments

Popular posts from this blog

Internet Information Services(IIS) reveals its real or internal IP Address

In the ever changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is becoming more and more of an issue. Security is now a basic requirement because global computing is inherently insecure.

Keeping that in mind, we recently ran our flagship product through a security audit. It was such a helpful exercise in tying-off any remaining lose ends in our application in terms of application security. 
Based on the security audit report, there was a relatively minor issue that appeared when accessing the /images directory of our application. Turns out that the Location response header of the 301 request returns an Internal IP address. The issue is detailed below.

Issue reportedInternet Information Services (IIS) may reveal its real or internal IP address in the Location header via a request to the /images directory. The value returned whilst pen testing is https://10.0.0.10/images.

The riskInformation regarding internal IP add…

Unit Testing HttpContext.Current.Session in MVC3 .NET

We recently changed some functionality where during the "CREATE" process, we go through a wizard to save application data. This data is saved only to the session in the final step when the user clicks the final submit.

This was easy enough to implement but when I started writing unit tests for my static methods that Add, Update, Delete or Modify the contents of our application data in the session, I got the following error:
System.NullReferenceException: Object reference not set to an instance of an object.

Turns out I had forgotten to setup the HttpContext.
The following "TestInitialise" method fixed my problem :)

[TestInitialize]
public void TestSetup()
{
// We need to setup the Current HTTP Context as follows:

// Step 1: Setup the HTTP Request
var httpRequest = new HttpRequest("", "http://localhost/", "");

// Step 2: Setup the HTTP Response
var httpResponce = new HttpResponse(new StringWriter());

// Step 3: Se…