Details
This Request Filter feature prevents attacks that rely on double-encoded requests and applies if an attacker submits a double-encoded request to IIS. When the double-encoded requests filter is enabled, IIS will go through a two iteration process of normalizing the request. If the first normalization differs from the second, the request is rejected and the error code is logged as a 404.11. The double-encoded requests filter was the VerifyNormalization option in UrlScan. It is recommended that double-encoded requests be rejected.
Rationale:
This feature will help prevent attacks that rely on URLs that have been crafted to contain double-encoded request(s).
Solution
The allowDoubleEscaping Request Filter may be set for a server, website, or application using the IIS Manager GUI, using AppCmd.exe commands in a command-line window, and/or directly editing the configuration files. To configure using the IIS Manager GUI:
1. Open Internet Information Services (IIS) Manager
2. In the Connections pane, select the site, application, or directory to be configured
3. In the Home pane, double-click Request Filtering
4. Click Edit Feature Settings… in the Actions pane
5. Under the General section, uncheck Allow double escaping
If a file name in a URL includes ‘+’ then allowDoubleEscaping must be set to true to allow functionality.
Enter the following command in AppCmd.exe to configure:
%systemroot%system32inetsrvappcmd set config /section:requestfiltering /allowDoubleEscaping:false
OR
Enter the following command in PowerShell to configure:
Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter ‘system.webServer/security/requestFiltering’ -name ‘allowDoubleEscaping’ -value ‘True’
Default Value:
When Request Filtering is installed on a system, the default behavior is to not allow double-encoded requests.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.