1.4.5 Ensure Double-Encoded Requests will be Rejected - Applications

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This Request Filter feature prevents attacks that rely on double-encoded requests and applies if an attacker submits a double-encoded request to IIS. When the double-encoded requests filter is enabled, IIS 7 will go through a two iteration process of normalizing the request. If the first normalization differs from the second, the request is rejected and the error code is logged as a 404.11. The double-encoded requests filter was the VerifyNormalization option in UrlScan. It is recommended that double-encoded requests be rejected.

This feature will help prevent attacks that rely on URLs that have been crafted to contain double-encoded request(s).

Solution

The allowDoubleEscaping Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:
1. Open Internet Information Services (IIS) Manager
2. In the Connections pane, select the site, application, or directory to be configured
3. In the Home pane, double-click Request Filtering
4. Click Edit Feature Settings... in the Actions pane
5. Under the General section, uncheck Allow double escaping

If a file name in a URL includes '+' then allowDoubleEscaping must be set to true to allow functionality.

See Also

https://benchmarks.cisecurity.org/tools2/iis/CIS_Microsoft_IIS_8_Benchmark_v1.4.0.pdf

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|3.1

Plugin: Windows

Control ID: d9e503281efa8f7366e857ad97d269415fb36f6b40747cfccbf019d8d8bdaaaf