UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The web-site must not allow double encoded URL requests.


Overview

Finding ID Version Rule ID IA Controls Severity
V-26045 WA000-WI6250 SV-32696r1_rule ECSC-1 Medium
Description
Request filtering enables administrators to create a more granular rule set with which to allow or reject inbound web content. By setting limits on web requests, it ensures availability of web services and mitigates the risk of buffer overflow type attacks. When the allow double escaping option is disabled it prevents attacks that rely on double-encoded requests.
STIG Date
IIS 7.0 WEB SITE STIG 2014-01-09

Details

Check Text ( C-32893r1_chk )
For each site reviewed:
1. Open the IIS Manager.
2. Click on the site name.
3. Double-click the Request Filtering icon.
4. Click Edit Feature Settings in the Actions Pane.
If the allow double escaping checkbox is checked, this is a finding.
Fix Text (F-29039r1_fix)
1. Open the IIS Manager.
2. Click the site name under review.
3. Double-click the Request Filtering icon.
4. Click Edit Feature Settings in the Actions Pane.
5. Uncheck the allow double escaping checkbox.