Safe to allow double escaping on IIS - asp.net

I have a site that is using IIS 7.5 it is also using ISAPI rewrite. I would like to redirect some URLS that will be passed by a piece of desktop software one of our business partners use. Basically they have an app that can be used to look up product, they can click on a product in the app and be take to the supplier's web site.
The problem is the app, which is used by many customers and cannot be changed to accommodate me, uses a "+" to eliminate spaces in some of the URL parameters. This is causing problems because I am trying to use ISAPI rewrite to re-write the URL based on the part number. The "+" sign causes IIS to return a "not found" error.
According to everything I have read this can be fixed by allowing double escaping in the web.config file. Everyone seems pretty cavalier about allowing this, but I see MS considers it a security issue.
So what exactly is the danger of allowing double escaping? We have an asp classic site running on this server so I don't want to risk any exposure of the site or DB by using this. OTOH if I could feel confident allowing it, it would be a really easy way to solve a problem.

That's a complex question. I don't have OTOH for you, but I can tell you that in the last 4 years of my experience with IIS and double-escaping, our customers have been enabling double escaping without any further problems. Member of HeliconTech Support Team

Related

Weird URL bypassing routing, parenthesis capital letter parenthesis anything two closing parentheses

I stumbled upon some strange behaviour today on a website at work. Our SEO consultant wanted some strange looking links taken away from Googles index, a seemingly straight-forward task. But it turned out to be very difficult.
The website was a .net MVC 5.2.3 application. We looked at routing, our own libraries etc. Nothing strange. After a while we gave up and tried simply redirect request to these urls by setting up a rule in web.config. Turns out these URL:s are unmatchable! Somehow under the right conditions the critical part of the URL seem to avoid matching rules as well as routing later on in the MVC application.
We narrowed down the mystical URL:s to the format (T(anything)) where T can by any capital letter and anything can be eh, anything. This is placed in the beginning of the URL as if it were a directory. In regex: \([A-Z]\([a-zA-Z0-9]*\)\)
I've tested and found the same behaviour on:
.net MVC5 sites
.net MVC3 sites
.net Web Forms sites
http://asp.net
http://stackoverflow.com
Some examples from stackoverflow.com:
Bypasses routing: https://stackoverflow.com/(K(jonas))/questions
Routes normal (404): https://stackoverflow.com/jonas/questions
Bypasses routing: https://stackoverflow.com/(G(hello))/users/1049710/jonas-%C3%84ppelgran
Routes normal (404): https://stackoverflow.com/gandhello/users/1049710/jonas-Äppelgran
It doesn't seem to affect the whole web, so it shouldn't be a browser or HTTP issue. Some examples:
Routes normal (404): http://php.net/(T(testing))/downloads
Routes normal (404): https://www.iana.org/(T(testing))/domains/reserved
Can anybody explain what is going on?
And what I can do to prohibit these URL:s to bypass routing?
Apparently this is a feature called a "cookieless session" in ASP.NET. See "Cookieless SessionIDs" section here in the MSDN docs.
The basic idea is that instead of storing the session id (if session state is enabled) in a cookie, it's now embedded in the URL.
We (Stack Overflow) disable session state entirely (by setting sessionState mode to off). As far as I know, the end result is that any time one of the URLs that match the session id format is used, that information is simply discarded.
None of the links leading to us in Google include it either, which makes me think that your site may be configured to actually generate session IDs in URLs? Short of disabling the feature, there's probably not much you can do here. Although, see "Regenerating Expired Session Identifiers" on the MSDN page I linked above to see how to at least prevent accidental session sharing if that's not already done.

ASP.NET Friendly URLs

In my research, I found 2 ways to do them.
Both required modifications to the Application_BeginRequest procedure in the Global.Asax, where you would run your code to do the actual URL mapping (mine was with a database view that contained all the friendly URLs and their mapped 'real' URLs). Now the trick is to get your requests run through the .NET engine without an aspx extension. The 2 ways I found are:
Run everything through the .NET engine with a wildcard application extension mapping.
Create a custom aspx error page and tell IIS to send 404's to it.
Now here's my question:
Is there any reason one of these are better to do than the other?
When playing around on my dev server, the first thing I noticed about #1 was it botched frontpage extensions, not a huge deal but that's how I'm used to connecting to my sites. Another issue I have with #1 is that even though my hosting company is lenient with me (as I'm their biggest client) and will consider doing things such as this, they are wary of any security risks it might present.
`#2 works great, but I just have this feeling it's not as efficient as #1. Am I just being delusional?
Thanks
I've used #2 in the past too.
It's more efficient because unlike the wildcard mapping, the ASP.NET engine doesn't need to 'process' requests for all the additional resources like image files, static HTML, CSS, Javascript etc.
Alternatively if you don't mind .aspx extension in your URL's you could use: http://myweb/app/idx.aspx/products/1 - that works fine.
Having said that, the real solution is using IIS 7, where the ASP.NET runtime is a fully fledged part of the IIS HTTP module stack.
If you have the latest version of IIS there is rewrite module for it - see here. If not there are free third party binaries you can use with older IIS (i.e. version 6) - I have used one that reads the rewrite rules from an .ini file and supports regular expression but I cant remember its name sorry (its possibly this). I'd recommend this over cheaping it out with the 404 page.
You have to map all requests through the ASP.NET engine. The way IIS processes requests is by the file extension. By default it only processes the .aspx, .ashx, etc extensions that are meant to only be processed by ASP.NET. The reason is it adds overhead to the processing of the request.
I wrote how to do it with IIS 6 a while back, http://professionalaspnet.com/archive/2007/07/27/Configure-IIS-for-Wildcard-Extensions-in-ASP.NET.aspx.
You are right in doing your mapping from the database. RegEx rewriting, like is used out of the box in MVC. This is because it more or less forces you to put the primary key in the URL and does not have a good way to map characters that are not allowed in URLs, like '.
Did you checked the ASP .Net MVC Framework? Using that framework all your URLs are automatically mapped to Controllers which could perform any desired action (including redirecting to other URLs or controllers). You could also set custom routes with custom parameters. If you don't have seen it yet, maybe it will worth the look.

Using Url.RouteUrl to Redirect to URL with #, %, and so on

In a web application I'm working on, we'd like to be able to show information about resources at a given path. The path is entirely virtual—it only exists in the application—so we don't really have a problem with users setting virtual paths that are "weird" by normal file system standards.
The issue: we have a route that reads something similar to
/Files/{*path}
and we attempt to redirect with
Url.RouteUrl("File", new { path = somePath })
This usually works, but fails if somePath contains & or #, among others. In those cases, I'm suck. I can't UrlEncode(somePath) at this point, because RouteUrl does its own URL encoding, but I can't leave them as-is, because otherwise they're treated improperly (the octothorp doesn't get passed to the routing data, and the ampersand confuses IIS). Is there a sane way around this? Or do I basically just need to implement my own routes via string interpolation?
I've been playing around with your example, and I cannot find any problems with using RouteUrl with special characters as you describe above, at least not in my test environments. The RouteUrl method encodese the urls correctly, and the controller gets the value in decoded form without any problems or deformities.
I've tested this out in IIS 7 as well as the VS 2008 development web server.
Can you provide more complete sample code?
The best answer I've found so far, though it only works on IIS7, is to follow the instructions at http://dirk.net/2008/06/09/ampersand-the-request-url-in-iis7/ to edit the registry and change some of IIS7's default behavior. This is unacceptable for us, since we're making an application that will be installed on end user's machines—and at any rate, even if we weren't, there'd be the simple fact that IIS6 and IIS5 don't respond to this sequence. Any ideas for earlier versions of IIS, or ways to override this behavior programmatically in IIS7, would be wonderful.

How to SEO friendly an existing ASP .NET 3.5 web application under IIS6

So, I know there's a lot of this subject here and over the Internet. But most articles/questions refers to "static" url rewriting, like:
www.site.com/products.aspx?category=Books
So they rewrite it to
www.site.com/Products/Books
That's ok but I need something else.
The site is like a CMS, it has different types of content.
Nowadays to read the article titled "How StackOverflow helps you in your development" you need to go to an URL like the following.
www.site.com/viewContent.aspx?Id=1234
What I want to achive is:
www.site.com/Content/Articles/how-to-stackoverflow-helps-you-in-your-development
So as I understand, I need to involve ASP .NET in that, because first I need to retrieve the article (an its title of course) and then rewrite the URL.
But I'm wondering how the hell ASP .NET will know how to get that article if I go to that URL, it doesn't include the id anywhere...
So maybe I could accept something like
www.site.com/Content/Articles/1234/how-to-stackoverflow-helps-you-in-your-development
I'm kind of lost here really.. I've never done any URL Rewriting at all and I've googled a lot and I cannot find a way to do what I want. Maybe what I want is not called url rewriting??? I don't know...
The site is running under Windows 2003 Server, IIS6, ASP .NET 3.5 SP1
And of course, I need a free solution, cannot spend 100usd on the ISAPI mod (besides I don't know if that is going to do what I need).
Thanks to all and sorry if this is a duplicated question, but I couldn't find it.
EDIT: I don't need to support non-ASP.NET files (jpgs, gifs, etc) don't need to be rewritten. I just need to rewrite the viewContent page to include the content title into the URL.
You can use the new Routing that comes with ASP.Net 3.5 sp1 to have clean URLs.
This can even be done in web forms and not just MVC. ( I have done it myself). See here and here for exanples of how to set it up.
You can throw the Id of the article and the title in the URL and make the Id the real parameter that gets used to search for the article. That is what SO does. Try removing the question for the URL and it will take you to the same place.
Even if you don't use the Id you can pass the title of the article "how-to-stackoverflow-helps-you-in-your-development" to your DB and retreive the article based on the title.
With regards to IIS 6 it is a little trickier since IIS 6 by default can't handle extension-less URL's.
There are a few work arounds:
Use the wildcard mapping in IIS to map all requests to Asp.Net
Put Default.aspx at the end of your urls
See this post for other possible solutions.
Although the first solution may have performance issues if all content in your site goes through Asp.Net (even images, css, .html ...) in a small site it shouldn't matter. I have used this approach and there wasn't any major performance issues. I think it is the simplest solution. Here is the website I built with it
I hope this helps.
This one is free, I have used it and it works pretty well: http://www.codeplex.com/IIRF
The nice thing is that it will handle url's without an extension (i.e. .aspx, .html, etc.)
You can achieve this with ASP.NET routing.You can do this with ASP.NET MVC as well as Webforms.No need to do anything with IIS.
Check the below link
https://web.archive.org/web/20201205221404/https://www.4guysfromrolla.com/articles/051309-1.aspx#postadlink
I did URL routing in my web application within 1 hour with the details from the above link.Its quite simple to learn .They provide sample codes too.It will help you to do it easily
You can retrieve the Id of the content using the title.But title should be unique.You can use ajax to check whether the title is a already existing one when user takes mouse out from the textbox.
Easiest way is to add a http module to your current webforms project.
http://weblogs.asp.net/scottgu/archive/2007/02/26/tip-trick-url-rewriting-with-asp-net.aspx
This shows you the basics of it, But it can easily be expanded so that the pages you want to rewite is taken from a database or even built on the fly.
ASP.net MVC is your friend for that
stackoverflow use MVC

Taking /Pages out of the SharePoint URL?

A customer is asking if there is anything we can do to remove "/Pages" from his Internet-facing MOSS publishing site. Some Googling reveals that some clever use of HTTPModules may be able to hide the presence of Pages, but I've yet to see an end-to-end working solution. Have any of you come up against this particular requirement, and if so, how did you resolve it?
The customer's main concern with /Pages is the SEO impact of it - if anyone has any way to mitigate those issues or can explain why having this extra level in your URL would not be a concern, that would be appreciated as well (and probably better, in the long run!)
Check out this posting. http://blog.mastykarz.nl/semantic-urls-in-moss-2007-imtech-sharepoint-semantic-urls-free-feature/
The main issue you'll have is that Microsoft won't provide support for a SharePoint instance that has "hidden" the pages library.
Yes, you can use a URL re-writer to exclude the /pages section of the path, and you will also need to perform a search and replace on the response stream to strip it out of all generated URLS - this will obviously have a performance hit on the server - but with careful use of caching, it might not be that noticable.
PSS will require you to remove the setup before they will investigate any issues with your site, so you (or your client) will need to weigh up the perceived benefits with the performance and support issues.
I believe we've done it for one of our clients in the past, but most are happy to stick with the /pages element - it really doesn't have that much effect.
I know ASP.NET 3.5 SP1 has the URL routing engine that ASP.NET MVC uses built in. If you wanted to run against that version of the .NET framework, you could use routes to eliminate the /Pages part of the URL. But I'm not positive about running MOSS on that version of .NET. That's the first place I'd check, though.
You can get a list of public facing websites using MOSS here. You can see they use the "page" libraries and you can check your favorite search engines against the content.
Hopefully this will be enough to demonstrate that the "Page" libraries aren't going to be too much of an issue and you can save them a bunch of cash.
You can change the name (and the url) of the /Pages library.

Resources