This forum has been moved here:
Helicon Tech Community Forum

  Active TopicsActive Topics  Display List of Forum MembersMemberlist  HelpHelp   RegisterRegister  LoginLogin
ISAPI_Rewrite 2.x (Forum Locked Forum Locked)
 Helicon Tech : ISAPI_Rewrite 2.x
Subject Topic: 301 response content customizable?
Author
Message |
bbcgraphics
Newbie


Joined: 03 November 2010
Posts: 5
Posted: 03 November 2010 at 8:11am

Hello, we're having an issue with a PCI compliance scanning company who refuses to admit a false positive on this issue.  when doing a 301 redirect the response content includes this type of text

<html><body>The requested resource was moved.
 It could be found here:
<a href="https://www.domainremoved.com/?<script>something</script>">https://www.domainremoved.com/?<script>something</script></a>
</body></html>
the problem is that this link in the content is not encoded or sanitized.

I know that browsers follow the response header instructions and do not display the content, but securitymetrics continues to be argumentative and refuses to mark this as a false positive.

Is there a way to;
1) turn off the response content all together?
2) sanitize the content with URL encoding?
3) customize the response content to remove the link?

TIA
Back to Top
 
Anton
Admin Group


Joined: 30 January 2007
Location: Ukraine
Posts: 10519
Posted: 03 November 2010 at 9:50am

If you are on 2003 and use ISAPI_Rewrite 2, I'm afraid we can't help...
But in case you use IIS7 are use or have an opportunity to use Helicon Ape, we may try to find a solution for you.

__________________
Regards,
Anton
Back to Top
 
bbcgraphics
Newbie


Joined: 03 November 2010
Posts: 5
Posted: 03 November 2010 at 11:47am

I was afraid of that, yes it is 2003 and ver2.  No we don't use ape.
Back to Top
 
bbcgraphics
Newbie


Joined: 03 November 2010
Posts: 5
Posted: 04 November 2010 at 12:35pm

I noticed that the 301 response content on the
helicontech.com and isapirewrite.com sites are sanitized:

Is that only version 3?

Code:
Content (0.24 KiB) <!DOCTYPE HTML PUBLIC "-
//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved
Permanently</title> </head><body> <h1>Moved
Permanently</h1><p>The document has moved <a
href="http://www.isapirewrite.com/?%253E">here</a>.</p>
</body></html>
Back to Top
 
Anton
Admin Group


Joined: 30 January 2007
Location: Ukraine
Posts: 10519
Posted: 05 November 2010 at 3:08am

"I noticed that the 301 response content on the
helicontech.com and isapirewrite.com sites are sanitized:

Is that only version 3?"

- Sorry, don't understand what you mean.
What do you imply by "sanitized"?

__________________
Regards,
Anton
Back to Top
 
bbcgraphics
Newbie


Joined: 03 November 2010
Posts: 5
Posted: 05 November 2010 at 4:16pm

sorry, illegal characters are url encoded

basically if i attempt an url that is being redirected and include a query string like ?<script> something </script>

then the resulting 301 response content should URL encode the link href like this: ?%3Cscript%3E%20something%20%3C/script%3E%20

and html encode the anchor text like this: &lt;script&gt; something &lt;/script&gt;

currently the content of the response passes through the dangerous text into both the target url and anchor text of the link. 

Other products either sanitize the code by encoding it like this or don't send any response content at all after the header

 

Back to Top
 
Anton
Admin Group


Joined: 30 January 2007
Location: Ukraine
Posts: 10519
Posted: 08 November 2010 at 3:59am

Ok, so do you actually want to block request if it comes with the html tags (like "script") in the query string?

__________________
Regards,
Anton
Back to Top
 
bbcgraphics
Newbie


Joined: 03 November 2010
Posts: 5
Posted: 08 November 2010 at 7:47am

No, I don't want to block them, I want to 301 including any tags.  I will handle the tags when the request gets to the 301 destination.

I just want to turn off or change the response content that is sent along the 301 response header because that response content includes the requested URL verbatim in the html code which is technically an xss.

I just noticed that the content of isapirewrite's 301 response includes the URL with encoding. This is the proper way to include 301 response content that I currently can't do with version2. So I'm wondering if maybe they fixed this in version 3 or is there a way to achieve it in v2.

Back to Top
 
Anton
Admin Group


Joined: 30 January 2007
Location: Ukraine
Posts: 10519
Posted: 09 November 2010 at 3:42am

You may try to use ISAPI_Rewrite3 and put the NE flag after your rule to prevent encoding of special characters.

__________________
Regards,
Anton
Back to Top
 

Sorry, you can NOT post a reply.
This forum has been locked by a forum administrator.

Printable version Printable version
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum