Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

IIS7.5 ASP.NET MVC users hitting strange URLs: /(F(1xe9eXIxPz

Tags:

security

iis

asp.net-mvc-2

We are getting reports from a small number of users that they are ending up on very strange paths in our web app, of the form:

https://www.example.com/(F(1xe9eXIxPzMALrZu6xd_6LBxDDlJI3lH2lkSvREZZKCfPBH20SF5EcNql6uXvyBVLgiNZshp9vXxaEzuLa5zm8c4ruux6gqu3B90eXGNmKDypu-wKR4OW_GwQctfjCdoxFYcDlLwglfE6rICL3JGkxtq4jgxggiQgJopKZGzLJ_PF2lHY7NqXya8eDshkP9o8QFDad47U54TMsxEwKCki2xPV9d9VxxjmDhNg7aQb38X_OTxHtf9I7AxiccanJf4m0bo0ceEJ70Mv20XYaMSlA2))/some/path

(Note: i've changed random chars in that in case its some kind of security leak, so don't bother trying to decode it - although if doing so might be helpful, please tell me what i'm looking for so I can do it on the real URL).

This causes a 400 in IIS, but IIS doesn't log it, so I have no idea of the referrer etc.

From what our users describe, its being caused at this step:

return Redirect("/some/path");

(which is in an ASP.NET MVC 2 Controller Action).

The site running on IIS 7.5 under SSL.

Any ideas? I've never seen anything like this :s

Update:

I also have ISAPI rewrite installed, with the following .htaccess:

RewriteEngine on
AllowOverride All

# Ensure that all traffic on the live domain is enforced as HTTPS
RewriteCond %{HTTP:Host} (.*)
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} (.*)
RewriteRule .? https://%1%2 [R,L]
like image 593
Andrew Bullock Avatar asked Jun 03 '11 15:06

Andrew Bullock

1 Answers

We had exactly the same issue when browsing our site from iPads or Surface tablets. Forms authentication would switch to "UseUri" mode somehow.

As per http://msdn.microsoft.com/en-us/library/1d3t3c61(v=vs.90).aspx the default mode to store the Auth ticket in Forms Authentication is "UseDeviceProfile" which apparently checks whether the device supports cookies or not.

Then it goes and says "For devices that support cookies, no attempt is made to probe to determine whether cookie support is enabled.". Perhaps someone can help me understanding this sentence :)

In any case, we solved the issue by forcing Forms Authentication to use cookies in the web.config file:

<authentication mode="Forms">
  <forms cookieless="UseCookies" loginUrl="~/Login" timeout="2880" />
</authentication>
like image 186
Yosoyadri Avatar answered Sep 17 '22 09:09

Yosoyadri
Sign in to Comment

Related questions

php mail and SMTP while using cloudflare
Can the Request scope variables be tampered/modified using external proxy tools?
AWS Cognito is sending SMS messages without my permission
Secure API for both mobile and web
What is the best way to secure Firebase API keys in a react app so it is not accessible publicly? [duplicate]
ASP.NET - Trust Level = Full?
Why can't an iframe set its parent's location.hash?
Generating Strong Unique User ID's w/PHP & MySQL
Triple DES algorithm in C?
Access to SQL Server 2005 from a non-domain machine using Windows authentication
SharePoint: You cannot grant limited access permission level
authentication on gui application written on perl
Review my design: Password resetting facility for web site
Securing devel grails application with single htpasswd like password
Why this strange symbol in hidden element
Encrypt/Encoding an ID in URL string
How to benchmark a crypto library?
Advantage of SessionStorage over Cookie
Is this a valid JSON response?
How to live-decrypt WPA/WPA2-PSK using tcpdump?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!