Short Name |
HTTP:IIS:ASP-DOT-NET-BACKSLASH |
---|---|
Severity |
Minor |
Recommended |
No |
Category |
HTTP |
Keywords |
IIS ASP.Net Directory Authentication Bypass |
Release Date |
2004/10/13 |
Update Number |
1213 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
This signature detects backslash (\) characters in the URL portion of an HTTP request. Attackers can use a backslash as a directory separator instead of the normal forward slash (/) to bypass the Microsoft IIS ASP.Net authentication capabilities and access protected resources. Note: A poorly configured Web server can also display a backslash in a non-malicious URL request.
Microsoft ASP.NET is reported prone to a remote information-disclosure vulnerability because the application fails to properly secure documents when handling malformed URI requests. An attacker may leverage this issue to bypass authentication required to access files in secured directories.