url 内的双转义序列:请求过滤模块被配置为拒绝包含双转义序列的请求 [英] double escape sequence inside a url : The request filtering module is configured to deny a request that contains a double escape sequence

问题描述

在我的 ASP.NET MVC 应用程序上，我试图实现一个如下所示的 URL:

On my ASP.NET MVC application, I am trying to implement a URL like below :

/product/tags/for+families

/product/tags/for+families

当我尝试使用默认配置运行我的应用程序时，我收到带有 404.11 响应代码的消息:

When I try to run my application with default configurations, I am getting this message with 404.11 Response Code :

HTTP 错误 404.11 - 未找到

请求过滤模块被配置为拒绝一个请求包含双转义序列.

The request filtering module is configured to deny a request that contains a double escape sequence.

我可以通过在我的 web.config 中实现以下代码来解决这个错误:

I can get around with this error by implementing the below code inside my web.config :

  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="true" />
    </security>
  </system.webServer>

所以，现在我没有收到任何 404.11.

So, now I am not getting any 404.11.

我想知道的是，我在这个实现中打开了什么样的安全漏洞.

What I am wondering is that what kind of security holes I am opening with this implementation.

顺便说一句，我的应用程序在 .Net Framework 4.0 下并在 IIS 7.5 下运行.

BTW, my application is under .Net Framework 4.0 and running under IIS 7.5.

推荐答案

您可能打开的安全漏洞与代码注入有关 - HTML 注入、JavaScript 注入或 SQL 注入.

The security holes that you might open up have to do with code injection - HTML injection, JavaScript injection or SQL injection.

默认设置不允许常见的注入策略起作用，从而半有效地保护您免受攻击.您删除的默认安全性越多，您就越需要考虑如何处理通过 URL、GET 请求查询字符串、POST 请求数据、HTTP 标头等提供的输入...

The default settings protect you from attacks semi-efficiently by not allowing common injection strategies to work. The more default security you remove, the more you have to think about what you do with the input provided through URLs, GET request querystrings, POST request data, HTTP headers and so on...

例如，如果您正在根据操作方法的 id 参数构建动态 SQL 查询，如下所示:

For instance, if you are building dynamic SQL queries based on the id parameter of your action method, like this:

public ActionResult Tags(string id)
{
    var sql = "SELECT * FROM Tags Where tagName = '" + id + "'";
    // DO STUFF...
}

(...这不是一个好主意)，由 .NET 框架实施的默认保护可能会阻止一些更危险的情况，例如用户请求此 URL:

(...which is NOT a good idea), the default protection, put in place by the .NET framework, might stop some of the more dangerous scenarios, like the user requesting this URL:

/product/tags/1%27;drop%20table%20Tags;%20--

整个想法是将 url 的每一部分和操作方法的其他输入视为可能的威胁.默认安全设置确实为您提供了一些保护.您更改的每个默认安全设置都会增加一些您需要手动处理的潜在问题.

The whole idea is to treat every part of urls and other inputs to action methods as possible threats. The default security setting does provide some of that protection for you. Each default security setting you change opens up for a little more potential badness that you need to handle manually.

我假设您不会以这种方式构建 SQL 查询.但是，当您将用户输入存储在数据库中，然后再显示它们时，就会出现更狡猾的东西.恶意用户可能会将未经编码的 JavaScript 或 HTML 存储在您的数据库中，这反过来又会威胁到您系统的其他用户.

I assume that you are not building SQL queries this way. But the more sneaky stuff comes when you store user input in your database, then later displaying them. The malevolent user could store JavaScript or HTML in your database that go out unencoded, which would in turn threaten other users of your system.

这篇关于url 内的双转义序列:请求过滤模块被配置为拒绝包含双转义序列的请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！