tags:

views:

742

answers:

1
+2  Q: 

URL-Encoded Angle Brackets in URL?

Hi,

I'm working on a legacy app and for whatever reason it's trying to stuff URL-encoded angle brackets into a URL. For example, to get a URL ending with "<sometext>":

http://somesite.com/somefolder/%3csometext%3e

When the above URL-encoded URL is fetched, it generates a 400 error (Bad Request) on IIS6 and I can't quite figure out why. Probably something simple, but I'm stumped.

Ideas? Thanks.

+3  A: 

You must have URLScan tool installed (http://technet.microsoft.com/en-us/security/cc242650.aspx) which disallows angle brackets (in any form).

According to this, 

    The new default urlscan.ini contains a rule in it to protect against these sort of patterns and the rule is just simply:

[DenyQueryStringSequences]

<

>
DV  2008-10-20 03:26:45
That's preposterous!
eyelidlessness  2008-10-20 04:43:15
why so? urlscan is very common on iis 6 and below.
DV  2008-10-20 04:54:46
That is the reason for sure. +1
Tomalak  2008-10-20 07:58:52
No, I mean it's preposterous that it would disallow valid url-encoded characters.
eyelidlessness  2008-10-20 17:30:46
The values in the query string are often displayed on the page, without escaping. If you allow angle brackets in the query string, and then they're displayed without escaping, you've just opened a massive XSS hole. URLScan protects your server from badly-written web apps.
Roger Lipscombe  2008-11-04 10:14:11

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.