Re: IIS rewrites my URL's

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 03/13/05

• Next message: David Wang [Msft]: "Re: Project Copy From Visual Studio Workstation to Development IIS Ser"
• Previous message: David Wang [Msft]: "Re: IIS 5.0 - how to detect possible memory leak"
• In reply to: Peter Fastré: "IIS rewrites my URL's"
• Next in thread: Kristofer Gafvert: "Re: IIS rewrites my URL's"
• Reply: Kristofer Gafvert: "Re: IIS rewrites my URL's"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sun, 13 Mar 2005 00:21:03 -0800

As Kristopher pointed out, the reason for the encoding is for security
against cross-site scripting attacks. Despite the fact that XSS attacks are
fundamentally a client-side problem due to bad application code on the
server, people wanted a server-side heavy-hammer solution, and here it is.

Regarding your problems with cookies, paths, etc -- it simply points out
that your code contains potential canonicalization flaws in that it treats
the same URL as potentially different. Basically, it is the reverse of the
XSS attack but from the server to the client.

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Peter Fastré" <peter.fastre@belgacom.be> wrote in message
news:NOgYd.35160$Fb7.3078265@phobos.telenet-ops.be...
Hello
I have a Windows 2003 Server with IIS. I make a virtual directory with
the name tp_static, and try the following URL:
http://srv003/tp_static
It works, but IIS encodes it to
http://srv003/tp%5Fstatic/
This way, I run into problems using cookies & paths, and besides that,
it looks very ugly. No other webserver (Apache, IIS<6, ...) does this.
Why is this, and is it possible to disable this stupid behaviour?
Regards
Peter

---

• Next message: David Wang [Msft]: "Re: Project Copy From Visual Studio Workstation to Development IIS Ser"
• Previous message: David Wang [Msft]: "Re: IIS 5.0 - how to detect possible memory leak"
• In reply to: Peter Fastré: "IIS rewrites my URL's"
• Next in thread: Kristofer Gafvert: "Re: IIS rewrites my URL's"
• Reply: Kristofer Gafvert: "Re: IIS rewrites my URL's"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Cross Site scripting prevention at browser ... XSS attacks is a well known acronymn for cross-site scripting(googling ... >>> address prevention from the server side. ... >>> How is JavaScript handled at the browser level?. ... >>'security' is bypassed by injecting code into the page visited. ... (comp.security.unix) Re: How To... ... except if the server have an obsolete php configuration. ... Sample form ... i don't know much about XSS attacks ... (alt.php) Re: [Full-Disclosure] Search Engine XSS ... Not speaking to these specific vulnerabilities, XSS attacks in general, let ... you masquerade info as being legitimate data from the server. ... across web sites. ... (Full-Disclosure) Re: Diagnose co-location networking problem ... it's clear that you're going through a NAT firewall or VPN or something ... on the way to your server. ... Thus are you able to reproduce this problem ... are you that this isn't a client-side problem? ... (freebsd-net) Re: XmlHttpRequest not loading latest version of xml ... >>> but changing the URI is the best idea. ... it is a client-side problem best to be solved server-side:) ... > The headers the server serves should have some form of "timeout". ... (comp.lang.javascript)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Internet-Server  > microsoft.public.inetserver.iis  > 2005-03