Skip to main content

Server Error (dots in URL)




Issue description:
Asp.net Server error [Unable to redirect to custom error page] when three dots (…) placed after directory name in url, Custom error page will not work if below attribute is set to false.

By default in asp.net  application will be configured relaxedUrlToFileSystemMapping="false, which means each http request will be validated by ‘Server OS file path validation component’. So when we pass (.) or (..) in URL first it will be validated by this component then the valid request will be passed to IIS.

By setting relaxedUrlToFileSystemMapping="true" it will bypass the ‘Server OS file path validation’, so all the http request will directly reach to IIS.


Same scenario has been explained in below figure.


Mitigation:                                                       
In web config:
<system.web>
       <httpRuntime targetFramework="4.5" relaxedUrlToFileSystemMapping="true" />
  </system.web>
What is relaxedUrlToFileSystemMapping?
The RelaxedUrlToFileSystemMapping property determines how the URL in an incoming HTTP request will be validated. If this property is false, the URL is validated by using the same rules that determine whether a Windows file system path is valid.

Comments

Popular posts from this blog

Password Protected File Validation for(.doc/.docx/.xls/.xlsx/.pdf) file types

Password Protected File Validation for(.doc/.docx/.xls/.xlsx/.pdf) file types protected void btnUpload_Click( object sender, EventArgs e)         {             //Check if File Upload control has file or not             if (FileUpload1.HasFile)             {                 //Get Uploaded file bytes                 var bytes = FileUpload1.FileBytes;                 //Get Uploaded File Extension                 FileInfo objFileInfo = new FileInfo (FileUpload1.FileNam...

Product/Application/ Software Security Testing

Product/Application/ Software Security Testing Application Security testing is the process to find security issues or security vulnerability in the application using automated and manual security scanner tools and share the identified issues or risk with development or application team. Process will remain mostly same in all the different types of application security scan. Before initiating security scan, its always good to identify the boundary and scope of your security testing.  Below are the few example of which we can consider as Application or software. ( Scope for Application Security Testing) Web Application, Portal. Web API. Desktop Software / Thick Client. Mobile Application. Web Services.  Plug in, Add-On The goal of application security is to secure the application and prevent the unwanted damaged. The process of performing security scan or audit is know as ASA (Application Security Assessment). Generally there are three types of ASA, SAST, DAST...

Improve SQL Server database design and performance

Improve SQL Server database design and performance http://www.dotnet-tricks.com/Tutorial/sqlserver/bM6H260812-Tips-to-improve-SQL-Server-performance.html