为什么使用包含冒号的 URL 会被视为“潜在危险请求"? [英] Why is using a URL containing a colon considered as a "potentially dangerous request"?

问题描述

有人(可能是机器人)向我的 ASP.NET 4.0 Web 表单应用程序(在 IIS 7.0 上运行)发送了一个带有以下 URL 的请求:

Someone (probably a bot) sent a request with the following URL to my ASP.NET 4.0 web forms application (running on IIS 7.0):

http://ipaddress-of-my-applications-domain/bla1.bla2.bla3.bla4.bla5:)

这导致了 System.Web.HttpException.我收到了一封来自我配置的 ASP.NET HealthMonitoring 的日志邮件，告诉我:

This caused an System.Web.HttpException. I received a logging email from ASP.NET HealthMonitoring I had configured, telling me:

从客户端 (:) 检测到潜在危险的 Request.Path 值.

堆栈跟踪是:

System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

为什么 URL 中的冒号有潜在危险"?使用这样的 URL 可以做什么危险的事情?我这里有我不知道的安全漏洞吗?

Why is a colon in the URL "potentially dangerous"? What dangerous things can be done with such a URL? Do I have any security hole here I am not aware of?

感谢提前解释！

编辑

我已经测试过，查询字符串中的冒号(如 http://mydomain.com?Test=9:))不会导致此异常.

I've tested that a colon in a query string (like http://mydomain.com?Test=9:)) does not cause this exception.

推荐答案

在 NTFS 上，给定的文件路径可以有多个关联的数据流.除了主流(也称为 $DATA)之外，还可以有其他流，通常用于在下载的文件中存储元数据，例如 Internet 区域标记.

On NTFS, a given filepath can have multiple associated data streams. Apart from the main stream, also known as $DATA, there can be others, typically used to store metadata like the Internet Zone marker in downloaded files.

备用数据流 使用冒号分隔符访问，例如.file.dat:$DATA 是表示 file.dat 的另一种方式.过去，通过 Web 存在 ADS 给 Microsoft 带来了一些安全问题(例如，返回 ASP 页面的源代码而不是执行它们)，因此作为预防措施，他们阻止了在路径部分使用冒号URL，因为路径部分通常映射到文件系统(尽管不是您的情况).这不太可能发生在查询字符串中，因此不会被阻止.

Alternate Data Streams are accessed using a colon separator, eg. file.dat:$DATA is an alternative way of saying file.dat. The presense of ADSs through the web has caused Microsoft some security issues in the past (eg. returning the source code of ASP pages instead of executing them), so as a precaution they're blocking the use of colon in the path part of the URL, as the path part often maps to the filesystem (though not in your case). This is less likely to occur from the query string so is not blocked there.

这远不是请求验证将产生的最糟糕的误报.它的抗注入特性要差很多.我个人总是会禁用它，因为它是一个愚蠢的损坏功能，永远无法真正使您的 web 应用程序安全；只有适当注意字符串转义(以及对您打算用作文件名的任何内容进行大量清理)才能做到这一点.

This is far from the worst false positive Request Validation will generate. Its anti-injection features are much worse. I personally would always disable it, as it's a stupid broken feature that can never actually make your webapp secure; only proper attention to string-escaping (and heavy sanitisation of anything you plan to use as a filename) can do that.

还有其他字符，即使您关闭请求验证，您也无法出于路由目的放入路径部分.特别是斜线(%2F、%5C 和无效的超长 UTF-8 序列解析为相同的字节序列)和零字节.一般来说，最好对路径中的内容保持保守.

There are other characters that even if you turn Request Validation off you can't put in a path part for routing purposes. In particular, slashes (%2F, %5C, and byte sequences that would be invalid overlong UTF-8 sequences resolving to the same) and the zero byte. It's best to be conservative about what you put in paths in general.

这篇关于为什么使用包含冒号的 URL 会被视为“潜在危险请求"?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！