How can we improve Azure Web Apps?

Web Apps should not return 500 error when attacker appends MS-DOS devices to URLs

If an attacker is trying to fingerprint your web server, perhaps looking for https://nvd.nist.gov/vuln/detail/CVE-2007-2897

He may try https://yourSite.azurewebsites.net/AUX or https://yourSite.azurewebsites.net/PRN

or any of the MS-DOS devices:

https://support.microsoft.com/en-us/help/74496/ms-dos-device-driver-names-cannot-be-used-as-file-names

Rather than return a 40x error, it returns a 500, and also leaks the server header "Server:Microsoft-IIS/8.0"

This is a bad situation to be in - throwing 500 errors, and leaking the server technology. Throwing 500 errors makes our sites more susceptible to DoS attacks? If an attacker sends 1000s of requests that throw 500 errors, the site will go offline in a short period of time?

0 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Ian RobertsonIan Robertson shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure App Service TeamAdminAzure App Service Team (Admin, Microsoft Azure) responded  · 

    Hi there,

    Thanks for bringing this up!

    We will look into the leaked server header, but based on some testing, it is not trivial fix.

    The internal server error responses are not harming your application in any way and cannot be used for DoSing the site (your site will not go down because of these). Unfortunately, fixing the response itself to 4xx type of response might be more challenging and there is currently no timeline for that and it is in our backlog.

    We will update when there is work deployed to address the above.

    Thanks,
    Oded

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base