We welcome user feedback and feature requests!

Web Apps should not return 500 error when attacker appends MS-DOS devices to URLs

If an attacker is trying to fingerprint your web server, perhaps looking for https://nvd.nist.gov/vuln/detail/CVE-2007-2897

He may try https://yourSite.azurewebsites.net/AUX or https://yourSite.azurewebsites.net/PRN

or any of the MS-DOS devices:

https://support.microsoft.com/en-us/help/74496/ms-dos-device-driver-names-cannot-be-used-as-file-names

Rather than return a 40x error, it returns a 500, and also leaks the server header "Server:Microsoft-IIS/8.0"

This is a bad situation to be in - throwing 500 errors, and leaking the server technology. Throwing 500 errors makes our sites more susceptible to DoS attacks? If an attacker sends 1000s of requests that throw 500 errors, the site will go offline in a short period of time?

0 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Ian Robertson shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base