Develop Reference

RequestFiltering not working for MS-DOS device name paths

I'm trying to appease a PCI scan failure we recently had done, in which it states:
Microsoft ASP.NET MS-DOS Device Name DoS
Synopsis :
A framework used by the remote web server has a denial of service vulnerability.
Impact:
The web server running on the remote host appears to be using Microsoft
ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL
containing an MS-DOS device name can cause the web server to become
temporarily unresponsive.
In a nutshell, we visit a URL on our app such as /AUX/.aspx we get a 500 error.
I'm using RequestFiltering to filter these requests out, and return 404's instead, without the server trying to process the request.
An excerpt of my web.config is below:
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="/AUX/.aspx" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
However, this isn't working, it's still returning a 500.
I would expect it to return a 404.
If I add the following catch-all url to the denyUrlSequences then the whole site produces the expected 404.
<add sequence="/" />
It's worth mentioning the application in question is an MVC app running on IIS 7.5 (Windows 2008 R2)

Just had to solve this problem.
My solution was to disable .Net Error Pages and enable IIS Error Pages.
When you move the custom error handling from the higher .Net level to the lower IIS level the HTTP response code changes from 500 to 404.
PCI Test Passed :-)

I struggled with this for quite some time myself. I think the 500 response code is correct for MS-DOS names in the URL, and you do not need to add anything to request filtering.
You'll notice that you will get a 500 error if you use any of the MS-DOS names (https://support.microsoft.com/en-us/kb/74496) without doing anything to your configuration. However, if you add a RequestFiltering denySequence for something else, like "foo", then you will see the 404.5 error when browsing to /foo.
If you add relaxedUrlToFileSystemMapping="true" to the httpRuntime element along with your request filtering denySequence entries, then you will get the 404.5 for MS-DOS names.
But disabling the default asp.net configuration just so you can get something other then a 500 response for a URL with MS-DOS name is a rediculous request from a PCI compliance check.

IIS ASP.NET 1.1 Application - Server Error Page - Abstraction from User

Currently our application gets the following error page.
Server Error in '/' Application
This even in case of a custom errors set to RemoteOnly.
What is the HTTP Error Code of this error? This because, we can add it under Custom Errors on InetMgr and set it to a Custom Error Page.

Server errors get raised as 500's usually (Internal Server Error).

HTTP Error 405.0 - Method Not Allowed

We are deploying one site asp.net 1.1 on Windows Web Server2008 R2 running IIS 7.5 on standalone PC. it is working perfectly on the 2003 machine. The 2008 machine is the one giving below trouble;
We are getting below error message:
HTTP Error 405.0 - Method Not Allowed
The page you are looking for cannot be displayed because an invalid method (HTTP verb) is being used.
Module: StaticFileModule
Notification: ExecuteRequestHandler
Handler: StaticFile
1.) We have added the 'POST' verb in to the request permissions on the StaticFile Handler.
2.) What causes an HTTP 405 "invalid method (HTTP verb)" error when POSTing a form to PHP on IIS?
We have tried various suggestions from other forums but none have worked, i would really appreciate some help

If your site uses JSON objects and the "Requested URL" is a *.json file, do the following:
http://www.uipress.com/add-json-handler-support-in-iis-7/#.UT_bw9aOR8E

ASP.NET MVC: How to handle 400 bad request error when url end with %

I am trying to handle all HTTP errors to my custom error pages, but I find that when there is a % at the end of url, i cannot use config setting or code to handle it,
for example: http://localhost/abc%
the response is:
Bad Request - Invalid URL
HTTP Error 400. The request URL is invalid.
So, can we use config setting or c# code to handle this error request?

Who said not possible?
Response.TrySkipIisCustomErrors = true;
OR
<configuration>
<system.webServer>
<httpErrors existingResponse="PassThrough" />
</system.webServer>
</configuration>
original post

See this 4 part series for configuring custom error pages within IIS: http://www.dotnetscraps.com/dotnetscraps/post/Did-you-know-Enable-Custom-Error-in-IIS-7-75.aspx.
I personally prefer to use Application_Error event to log the errors and redirect user to custom error pages. Note that you need to use integrated pipe-line in IIS to catch all errors otherwise IIS will show its own error page for resources that are not served by ASP.NET.
EDIT:
Sorry for the wrong answer. I have XP machine currently that shows 404 for % sign so couldn't verify above. Searching over internet, I found that it's simply not possible to display custom error page for 400 status code. See this question from server fault for more information.

ASP.NET WebService deny remote access

I've created an ASP.NET WebService that is to be consumed using ASP.NET Ajax. The WebService is located on the same box and same web application that it is to be used by, so I do not want to allow remote access to this webservice, but have it only respond to requests from localhost.
The Web.Config DOES NOT have a configuration section and therfore does not have httpPost and httpGet turned on. This is fine. However, if I navigate directly to the WebService URL from a remote machine, it still loads and shows me a list of methods. Clicking on the method does give me a message stating that the testing form is not available to remote machines (as intended), but it does list information on how to issue a Soap Request and handle a Soap Response.
Additionally, I believe I'm being scraped by a bot of some sort of just a curious user, because I'm now getting error message in my log such as this...
System.InvalidOperationException: Request format is unrecognized for URL
unexpectedly ending in '/ValidateUsername'.
This happens if you try to issue a GET request (by manipulating the query string) against the service remotely. I'm glad that it's not handling the request as I don't want remote users access to this service, but I would prefer it not throw an error.
How can I lock down the webservice so that it is not available to remote machine, but still available to the local machine as a ScriptService consumably by ASP.NET Ajax?
UPDATE:
Okay, here is workable example of what is happening.
WebSite: http://so.weirdwes.dyndns.org/default.aspx
WebService: http://so.weirdwes.dyndns.org/services/services.asmx
Web.Config:
<webServices>
<protocols>
<remove name="HttpGet"/>
<remove name="HttpPost"/>
</protocols>
</webServices>
The website is consuming the WebService using a ScriptManager tag and ScriptReference. You'll note if you click the button, the web service is called and everything works, even though Post and Get have been removed. This is fine as this is how we want it to work. The issue is this....
http://so.weirdwes.dyndns.org/services/services.asmx/GetRemoteAddr
Server Error in '/' Application.
--------------------------------------------------------------------------------
Request format is unrecognized for URL unexpectedly ending in '/GetRemoteAddr'.
A bot or something is scraping this URL and it's generating errors that we're get notified of. I want to supress this error or block it entirely. If I alter the Web.Config and add the Get and Post protocols back in, this error goes away - but then it allows access to the web service remotely using Get which we don't want.

I am kinda confused here.
Is this going to be called by the browser? if it will be, then you should allow remote access.

Test against the ip address
Request.ServerVariables ["REMOTE_ADDR"]

IIS lets you white/black list IP groups in its configuration. Use that to lock it down to localhost. You can also configure your firewall to prevent anyone from hitting that port from outside.