| Groups | Blog | Home |
iis security : Does Http.sys block all mobile device requests?
I'm using Windows 2003 and IIS 6.0 to host a mobile device application. I've migrated over from IIS 5.0. IIS 6.0 seems to block all incoming requests from mobile devices. My suspicion is that http.sys blocks these requests because they're without user agent or has an illegal \r\n ending in the request. But my problem is that I cannot control the requests generated by the mobile devices using my app. Does anyone know how to shut off or configure the request blocking done by http.sys? Or do I have to go all the way back to windows 2000? Any ideas or suggestions are welcome!!! PS: I suspect that http.sys blocks the mobile device requests because they don't have user agent in header. The request headers sent by the mobile devices are as following: Connection: close Host=myweb.com:80 The Httperr.log looks like this: 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET /get.aspx?a=&u=38 400 - BadRequest 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET /get.aspx?a=&u=38 400 - BadRequest 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET /get.aspx?a=&u=38 400 - BadRequest 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET /get.aspx?a=&u=38 400 - BadRequest
That host header is incorrect.
All HTTP headers should be: header-name colon header-value eg: connection: close -or- host: www.mycompany.com Something like: host=www.mycompany.com is not a valid HTTP header as far as I know. I think that's possible a cause of your problems. HTTP.sys does not block requests that do not have a user-agent. That's easy to verify using telnet: telnet>open www.mycompany.com 80 GET / HTTP/1.1 [enter] HOST: www.mycompany.com [enter][enter] If you enter the above, you will get IIS to respond just fine, even though there is no user-agent header, no accept header etc. Cheers Ken [quoted text, click to view] "Hans Olav Stjernholm" <none@no.no> wrote in message news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... > Hi! > > I'm using Windows 2003 and IIS 6.0 to host a mobile device application. > I've > migrated over from IIS 5.0. > IIS 6.0 seems to block all incoming requests from mobile devices. > My suspicion is that http.sys blocks these requests because they're > without > user agent or has an illegal \r\n ending in the request. But my problem is > that I cannot control the requests generated by the mobile devices using > my > app. > > Does anyone know how to shut off or configure the request blocking done by > http.sys? > Or do I have to go all the way back to windows 2000? > > Any ideas or suggestions are welcome!!! > > PS: > I suspect that http.sys blocks the mobile device requests because they > don't > have user agent in header. > The request headers sent by the mobile devices are as following: > Connection: close > Host=myweb.com:80 > > The Httperr.log looks like this: > 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > >
For proper security, servers should only accept proper HTTP requests.
Applications that cannot send proper HTTP requests are broken and should be fixed. There is no way to shut off nor configure request blocking done by HTTP.SYS. It is an important part of overall server security. The only resolutions I see are: 1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 over IIS5) 2. Open a PSS support case on the behavior and justify a change in HTTP.SYS -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Hans Olav Stjernholm" <none@no.no> wrote in message Hi!news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... I'm using Windows 2003 and IIS 6.0 to host a mobile device application. I've migrated over from IIS 5.0. IIS 6.0 seems to block all incoming requests from mobile devices. My suspicion is that http.sys blocks these requests because they're without user agent or has an illegal \r\n ending in the request. But my problem is that I cannot control the requests generated by the mobile devices using my app. Does anyone know how to shut off or configure the request blocking done by http.sys? Or do I have to go all the way back to windows 2000? Any ideas or suggestions are welcome!!! PS: I suspect that http.sys blocks the mobile device requests because they don't have user agent in header. The request headers sent by the mobile devices are as following: Connection: close Host=myweb.com:80 The Httperr.log looks like this: 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET /get.aspx?a=&u=38 400 - BadRequest 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET /get.aspx?a=&u=38 400 - BadRequest 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET /get.aspx?a=&u=38 400 - BadRequest 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET /get.aspx?a=&u=38 400 - BadRequest
surely you can put a filter before http.sys. isn't that the basis of how
urlscan and other isapi filters work? if nothing else send iis to a different port and write your own proxy to listen on port 80 and fix up requests before forwarding them on to iis. "bertelmonster" <bertelmonster.1nmv52@mail.webservertalk.com> wrote in message news:bertelmonster.1nmv52@mail.webservertalk.com... [quoted text, click to view] > > Still no solution for this Problem? > ( > > - Devices in the market cannot be changed. > - Not possible to get request before http.sys (kernal mode). > > To strictly conform http spec is very good. But it should be possible > to intercept requests! > > > > David Wang [Msft] wrote: > > *For proper security, servers should only accept proper HTTP > > requests. > > Applications that cannot send proper HTTP requests are broken and > > should be > > fixed. > > > > There is no way to shut off nor configure request blocking done by > > HTTP.SYS. > > It is an important part of overall server security. > > > > The only resolutions I see are: > > 1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 > > over > > IIS5) > > 2. Open a PSS support case on the behavior and justify a change in > > HTTP.SYS > > > > -- > > //David > > IIS > > This posting is provided "AS IS" with no warranties, and confers no > > rights. > > // > > "Hans Olav Stjernholm" <none@no.no> wrote in message > > news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... > > Hi! > > > > I'm using Windows 2003 and IIS 6.0 to host a mobile device > > application. I've > > migrated over from IIS 5.0. > > IIS 6.0 seems to block all incoming requests from mobile devices. > > My suspicion is that http.sys blocks these requests because they're > > without > > user agent or has an illegal \r\n ending in the request. But my > > problem is > > that I cannot control the requests generated by the mobile devices > > using my > > app. > > > > Does anyone know how to shut off or configure the request blocking > > done by > > http.sys? > > Or do I have to go all the way back to windows 2000? > > > > Any ideas or suggestions are welcome!!! > > > > PS: > > I suspect that http.sys blocks the mobile device requests because > > they don't > > have user agent in header. > > The request headers sent by the mobile devices are as following: > > Connection: close > > Host=myweb.com:80 > > > > The Httperr.log looks like this: > > 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET > > /get.aspx?a=&u=38 400 - BadRequest > > 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET > > /get.aspx?a=&u=38 400 - BadRequest > > 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET > > /get.aspx?a=&u=38 400 - BadRequest > > 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET > > /get.aspx?a=&u=38 400 - BadRequest * > > > > -- > bertelmonster > ------------------------------------------------------------------------ > Posted via http://www.webservertalk.com > ------------------------------------------------------------------------ > View this thread: http://www.webservertalk.com/message349594.html >
Still no solution for this Problem? ( - Devices in the market cannot be changed. - Not possible to get request before http.sys (kernal mode). To strictly conform http spec is very good. But it should be possibl to intercept requests! [quoted text, click to view] David Wang [Msft] wrote: > *For proper security, servers should only accept proper HTT > requests. > Applications that cannot send proper HTTP requests are broken an > should be > fixed. > > There is no way to shut off nor configure request blocking done b > HTTP.SYS. > It is an important part of overall server security. > > The only resolutions I see are: > 1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS > over > IIS5) > 2. Open a PSS support case on the behavior and justify a change i > HTTP.SYS > > -- > //David > IIS > This posting is provided "AS IS" with no warranties, and confers n > rights. > // > "Hans Olav Stjernholm" <none@no.no> wrote in message > news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... > Hi! > > I'm using Windows 2003 and IIS 6.0 to host a mobile devic > application. I've > migrated over from IIS 5.0. > IIS 6.0 seems to block all incoming requests from mobile devices. > My suspicion is that http.sys blocks these requests because they'r > without > user agent or has an illegal \r\n ending in the request. But m > problem is > that I cannot control the requests generated by the mobile device > using my > app. > > Does anyone know how to shut off or configure the request blockin > done by > http.sys? > Or do I have to go all the way back to windows 2000? > > Any ideas or suggestions are welcome!!! > > PS: > I suspect that http.sys blocks the mobile device requests becaus > they don't > have user agent in header. > The request headers sent by the mobile devices are as following: > Connection: close > Host=myweb.com:80 > > The Httperr.log looks like this: > 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest > 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET > /get.aspx?a=&u=38 400 - BadRequest - bertelmonste ----------------------------------------------------------------------- Posted via http://www.webservertalk.co ----------------------------------------------------------------------- View this thread: http://www.webservertalk.com/message349594.htm
Hi Dave and bertelmonster,
First off, a user-agent header is not required in any version of HTTP, so http.sys will not reject a request based on that. In looking at the header data below, I see a properly formed connection header, but the line "Host=myweb.com:80" will cause http.sys to fail to find a host header. Since a host header is required for HTTP/1.1, this could cause a 400 response. The correct value of the header should be "Host: myweb.com:80". Also, assuming that this header is just a typo, there could be something outside of just headers that's making the request invalid. It would be necessary to see a capture of the actual raw request in its entirely to say for sure what's wrong. Finally regarding filters, in Worker Process Isolation Mode, David is correct that you cannot intercept the request. UrlScan and other filters work by looking at the request after it's been parsed by http.sys. In IIS 5 Isolation Mode, though, you can write a read raw data filter that sees the raw data stream before http.sys parses it. It would be possible to put IIS into this mode an use such a filter to fix the data stream. This would probably not be an ideal solution, as you would give up the benefits of the new IIS 6 process model. If it's true that the device is really sending a malformed host header, then that would be a very serious defect in the device and you should definitely contact the vendor. Thank you, -Wade A. Hilmo, -Microsoft [quoted text, click to view] "Dave" <noone@nowhere.com> wrote in message news:O6eL3V1QFHA.1476@TK2MSFTNGP09.phx.gbl... > surely you can put a filter before http.sys. isn't that the basis of how > urlscan and other isapi filters work? if nothing else send iis to a > different port and write your own proxy to listen on port 80 and fix up > requests before forwarding them on to iis. > > "bertelmonster" <bertelmonster.1nmv52@mail.webservertalk.com> wrote in > message news:bertelmonster.1nmv52@mail.webservertalk.com... > > > > Still no solution for this Problem? > > ( > > > > - Devices in the market cannot be changed. > > - Not possible to get request before http.sys (kernal mode). > > > > To strictly conform http spec is very good. But it should be possible > > to intercept requests! > > > > > > > > David Wang [Msft] wrote: > > > *For proper security, servers should only accept proper HTTP > > > requests. > > > Applications that cannot send proper HTTP requests are broken and > > > should be > > > fixed. > > > > > > There is no way to shut off nor configure request blocking done by > > > HTTP.SYS. > > > It is an important part of overall server security. > > > > > > The only resolutions I see are: > > > 1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 > > > over > > > IIS5) > > > 2. Open a PSS support case on the behavior and justify a change in > > > HTTP.SYS > > > > > > -- > > > //David > > > IIS > > > This posting is provided "AS IS" with no warranties, and confers no > > > rights. > > > // > > > "Hans Olav Stjernholm" <none@no.no> wrote in message > > > news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... > > > Hi! > > > > > > I'm using Windows 2003 and IIS 6.0 to host a mobile device > > > application. I've > > > migrated over from IIS 5.0. > > > IIS 6.0 seems to block all incoming requests from mobile devices. > > > My suspicion is that http.sys blocks these requests because they're > > > without > > > user agent or has an illegal \r\n ending in the request. But my > > > problem is > > > that I cannot control the requests generated by the mobile devices > > > using my > > > app. > > > > > > Does anyone know how to shut off or configure the request blocking > > > done by > > > http.sys? > > > Or do I have to go all the way back to windows 2000? > > > > > > Any ideas or suggestions are welcome!!! > > > > > > PS: > > > I suspect that http.sys blocks the mobile device requests because > > > they don't > > > have user agent in header. > > > The request headers sent by the mobile devices are as following: > > > Connection: close > > > Host=myweb.com:80 > > > > > > The Httperr.log looks like this: > > > 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET > > > /get.aspx?a=&u=38 400 - BadRequest > > > 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET > > > /get.aspx?a=&u=38 400 - BadRequest > > > 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET > > > /get.aspx?a=&u=38 400 - BadRequest > > > 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET > > > /get.aspx?a=&u=38 400 - BadRequest * > > > > > > > > -- > > bertelmonster > > ------------------------------------------------------------------------ > > Posted via http://www.webservertalk.com > > ------------------------------------------------------------------------ > > View this thread: http://www.webservertalk.com/message349594.html > > > >
ISAPI filters in IIS 6.0 do not load "before" http.sys. The process
incoming requests AFTER http.sys routes the incoming request to that website. In IIS 5.0 (Win2k) there was no http.sys so the incoming requests went directly to IIS. IIS loaded all ISAPI filters in inetinfo.exe so all incoming requests would be parsed by all installed ISAPI filters. Filters like URLScan could parse the incoming request before it was consumed by IIS allowing improper requests to be rejected. In IIS 6.0 http.sys was introduced and it acts like a filter itself in a way, checking incoming requests for validity. If the validity check fails then the request is rejected and logged in \logfiles\httperr. IIS doesn't know about these incoming requests. If the request is allowed by http.sys then the request is passed on to the IIS process the request was indended for (w3wp.exe). Furthermore ISAPI filters in IIS 6.0 are loaded into the specific process (w3wp.exe) they are intended for so that not every request for every website has to go thru all the ISAPI filters, just the ones intended for use with that particular website. Hans - there is no way to shut down http.sys in IIS 6.0. If you app is not creating proper formed requests then http.sys will reject it. Hope this helps! This posting is provided "AS IS" with no warranties, and confers no rights. Thanks! ~Andrew Davis Microsoft PSS Security -------------------- [quoted text, click to view] >From: "Dave" <noone@nowhere.com> <uD1Pnv#hEHA.2624@TK2MSFTNGP12.phx.gbl> >References: <egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl> <bertelmonster.1nmv52@mail.webservertalk.com> [quoted text, click to view] >Subject: Re: Does Http.sys block all mobile device requests? TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP0>Date: Sun, 17 Apr 2005 13:57:48 -0000 >Lines: 95 >X-Priority: 3 >X-MSMail-Priority: Normal >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 >Message-ID: <O6eL3V1QFHA.1476@TK2MSFTNGP09.phx.gbl> >Newsgroups: microsoft.public.inetserver.iis.security >NNTP-Posting-Host: k1ttt.net 140.186.101.248 >Path: 9.phx.gbl [quoted text, click to view] >Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.inetserver.iis.security:17295
>X-Tomcat-NG: microsoft.public.inetserver.iis.security > >surely you can put a filter before http.sys. isn't that the basis of how >urlscan and other isapi filters work? if nothing else send iis to a >different port and write your own proxy to listen on port 80 and fix up >requests before forwarding them on to iis. > >"bertelmonster" <bertelmonster.1nmv52@mail.webservertalk.com> wrote in >message news:bertelmonster.1nmv52@mail.webservertalk.com... >> >> Still no solution for this Problem? >> ( >> >> - Devices in the market cannot be changed. >> - Not possible to get request before http.sys (kernal mode). >> >> To strictly conform http spec is very good. But it should be possible >> to intercept requests! >> >> >> >> David Wang [Msft] wrote: >> > *For proper security, servers should only accept proper HTTP >> > requests. >> > Applications that cannot send proper HTTP requests are broken and >> > should be >> > fixed. >> > >> > There is no way to shut off nor configure request blocking done by >> > HTTP.SYS. >> > It is an important part of overall server security. >> > >> > The only resolutions I see are: >> > 1. Use IIS5 on Windows 2000 (i.e. forsake security achieved by IIS6 >> > over >> > IIS5) >> > 2. Open a PSS support case on the behavior and justify a change in >> > HTTP.SYS >> > >> > -- >> > //David >> > IIS >> > This posting is provided "AS IS" with no warranties, and confers no >> > rights. >> > // >> > "Hans Olav Stjernholm" <none@no.no> wrote in message >> > news:egTewLUgEHA.3320@TK2MSFTNGP11.phx.gbl... >> > Hi! >> > >> > I'm using Windows 2003 and IIS 6.0 to host a mobile device >> > application. I've >> > migrated over from IIS 5.0. >> > IIS 6.0 seems to block all incoming requests from mobile devices. >> > My suspicion is that http.sys blocks these requests because they're >> > without >> > user agent or has an illegal \r\n ending in the request. But my >> > problem is >> > that I cannot control the requests generated by the mobile devices >> > using my >> > app. >> > >> > Does anyone know how to shut off or configure the request blocking >> > done by >> > http.sys? >> > Or do I have to go all the way back to windows 2000? >> > >> > Any ideas or suggestions are welcome!!! >> > >> > PS: >> > I suspect that http.sys blocks the mobile device requests because >> > they don't >> > have user agent in header. >> > The request headers sent by the mobile devices are as following: >> > Connection: close >> > Host=myweb.com:80 >> > >> > The Httperr.log looks like this: >> > 2004-07-29 08:12:56 212.17.141.50 42798 62.92.38.39 80 HTTP/1.1 GET >> > /get.aspx?a=&u=38 400 - BadRequest >> > 2004-07-29 08:13:00 212.17.141.50 42816 62.92.38.39 80 HTTP/1.1 GET >> > /get.aspx?a=&u=38 400 - BadRequest >> > 2004-07-29 08:13:03 212.17.141.50 42832 62.92.38.39 80 HTTP/1.1 GET >> > /get.aspx?a=&u=38 400 - BadRequest >> > 2004-07-29 08:13:06 212.17.141.50 42846 62.92.38.39 80 HTTP/1.1 GET >> > /get.aspx?a=&u=38 400 - BadRequest * >> >> >> >> -- >> bertelmonster >> ------------------------------------------------------------------------ >> Posted via http://www.webservertalk.com >> ------------------------------------------------------------------------ >> View this thread: http://www.webservertalk.com/message349594.html >> > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |