CORS Error on MS Edge - iis

We have a running website which makes XHR to another Domains php-service. Currently we are moving this service to a new server. While we did allow CORS and used quite the same settings the request works on the old Server but does not on the new one.
Talking about "quite the same" cause obviously something is wrong, but we couldn't find a difference. IpSecurity allows all Ips, Auth. accepts anomymous, etc.
Old Server: Windows Server 2012; IIS 6.2
New Server: Windows Server 2008R2; IIS 6.1
Web.config:
<configuration>
<system.webServer>
<defaultDocument enabled="true">
<files>
<clear />
<add value="index.aspx" />
<add value="index.asp" />
<add value="index.htm" />
<add value="index.html" />
<add value="home.aspx" />
<add value="home.asp" />
<add value="home.htm" />
<add value="home.html" />
<add value="default.aspx" />
<add value="default.asp" />
<add value="default.htm" />
<add value="default.html" />
</files>
</defaultDocument>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Credentials" value="true" />
<add name="Access-Control-Allow-Headers" value="origin, content-type, accept" />
<add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS" />
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
<urlCompression doDynamicCompression="true" />
</system.webServer>
</configuration>
Error: SCRIPT7002: XMLHttpRequest: Networkerror 0x80070005, Access denied.
Has anyone an idea why Edge won't get access to the new server?
Thanks for any ideas.
EDIT: To further clarify: It does work on Chrome, Firefox and IE 11

Related

How to enable compression using IIS

I have followed this document and have enabled both Dynamic and Static compression for my website.
But when I test the website here, the compression is not enabled.
I have verified the HttpCompression:
<system.webServer>
<httpCompression directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files">
<staticTypes>
<add mimeType="text/*" enabled="true" />
<add mimeType="message/*" enabled="true" />
<add mimeType="application/javascript" enabled="true" />
<add mimeType="application/atom+xml" enabled="true" />
<add mimeType="application/xaml+xml" enabled="true" />
<add mimeType="image/svg+xml" enabled="true" />
<add mimeType="*/*" enabled="false" />
</staticTypes>
<dynamicTypes>
<add mimeType="text/*" enabled="true" />
<add mimeType="message/*" enabled="true" />
<add mimeType="application/x-javascript" enabled="true" />
<add mimeType="application/javascript" enabled="true" />
<add mimeType="*/*" enabled="false" />
</dynamicTypes>
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll" />
</httpCompression>
</system.webServer>
I have also checked the following IIS Settings:
I see from your posted headers that the site is behind cloudfront (ie the via and x-cache headers).
Thus you may need to investigate having cloudfront provide compressed data: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/ServingCompressedFiles.html
I'm not particularly familiar with cloudfront, but since its adding the via header its acting as a proxy..
..you have noCompressionForProxies = True in your IIS settings screenshot.
This has some info on changing that setting https://community.spiceworks.com/topic/1989103-help-with-enabling-nocompressionforproxies-in-applicationhost-config-in-iis
As a 1st test you could try to hit your site by-passing cloudfront to directly test the IIS setup.

Adding x-frame-Options in web.config return error 500

I added X-frame-Options in my web.config.
This is my web.config
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
After restarting IIS I got 500 error!!!
Can someone help me to find out the problem?
Modify your customHeaders as below:
<customHeaders>
<clear />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
I suspect that your application is located within a virtual folder, if that's the case then two web.config files are processed. First is the global one, the the second time is yours. So you end up having two collection of customHeaders.
Blog post IIS 7: But why do I get a 500.19 explains in more details why it is happening and how to fix it.
Your location to add CustomHeaders is wrong. Correct location is :
....
</system.web>
<system.webServer>
<security>
<requestFiltering>
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false" />
</verbs>
</requestFiltering>
</security>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="ALLOW" />
<remove name="X-Powered-By" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
....
Other option is Useful for your application security.

IIS Failed request tracing - Trace Providers

I'm working on an IIS 7.5 server and enabled the failed request tracing feature however when I attempt to setup the rules I only have an option to select ASPNET as a provider rather than the normal four providers (ASP, ASPNET, ISAPI Extension, WWW Server).
Does anyone know how to get the other providers to display?
FRT - Provider - image
For some reason it seems your traceProviderDefinitions got cleared or something. to fix that you can:
Make a backup of c:\Windows\System32\Inetsrv\Config\ApplicationHost.config just in case anything goes wrong with your XML editing.
Open c:\Windows\System32\Inetsrv\Config\ApplicationHost.config in notepad.
Look for: , in my machine I have the following:
<traceProviderDefinitions>
<add name="WWW Server" guid="{3a2a4e84-4c21-4981-ae10-3fda0d9b0f83}">
<areas>
<clear />
<add name="Authentication" value="2" />
<add name="Security" value="4" />
<add name="Filter" value="8" />
<add name="StaticFile" value="16" />
<add name="CGI" value="32" />
<add name="Compression" value="64" />
<add name="Cache" value="128" />
<add name="RequestNotifications" value="256" />
<add name="Module" value="512" />
<add name="Rewrite" value="1024" />
<add name="FastCGI" value="4096" />
<add name="WebSocket" value="16384" />
</areas>
</add>
<add name="ASP" guid="{06b94d9a-b15e-456e-a4ef-37c984a2cb4b}">
<areas>
<clear />
</areas>
</add>
<add name="ISAPI Extension" guid="{a1c2040e-8840-4c31-ba11-9871031a19ea}">
<areas>
<clear />
</areas>
</add>
<add name="ASPNET" guid="{AFF081FE-0247-4275-9C4E-021F3DC1DA35}">
<areas>
<add name="Infrastructure" value="1" />
<add name="Module" value="2" />
<add name="Page" value="4" />
<add name="AppServices" value="8" />
</areas>
</add>
</traceProviderDefinitions>

How to protect against shell injection and blind timing on Windows IIS using web.config?

I used Vega scanner to test my web application and it found some Shell Injection vulnerabilities that can be found by entering commands like these:
GET /http:/mywebsite.com/?s="%20%3B%20/bin/sleep%2031%20%3B
GET /http:/mywebsite.com/http:/http:/mywebsite.com/?s="%20%3B%20/bin/sleep%2031%20%3B
I'm running Windows Server with IIS and PHP. A portion of my web.config file is here:
<requestFiltering>
<denyUrlSequences>
<add sequence="module" />
<add sequence="engine" />
<add sequence="tpl(\.php" />
<add sequence="profile" />
<add sequence="Root" />
<add sequence="Tag" />
<add sequence="Template" />
<add sequence="Repository" />
<add sequence="code-style" />
<add sequence="GET /?p=/./" />
<add sequence="/?p=/./" />
<add sequence="/?" />
<add sequence="/?p=/./ HTTP/1.1" />
<add sequence="/bin/sleep" />
<add sequence="sleep" />
<add sequence="bin" />
<add sequence="{" />
<add sequence="}" />
<add sequence=";" />
<add sequence="|" />
<add sequence="~" />
</denyUrlSequences>
</requestFiltering>
What I'm trying to do is block these types of queries from being used by using the web.config file. What I have above should be blocking the malicious queries, but it appears to not be working even after updating the web.config and rescanning. Could anyone give me advice on how to proceed please? Thank you very much!
try using denyQueryStringSequences since in this case the payload based on your example is coming on the Query not on the segments, for example (and adding the segment as well just incase)
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<remove segment="bin" />
<add segment="bin" />
</hiddenSegments>
<denyQueryStringSequences>
<add sequence="/bin" />
</denyQueryStringSequences>
</requestFiltering>
</security>
</system.webServer>

Azure website IP restriction

I have an Azure website which I only use for development and testing, therefore I want to restrict access to it for everyone but myself.
According to this blog article this is now offically supported, so I tried adding this to my web.config file:
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<add allowed="true" ipAddress="1.2.3.4" />
</ipSecurity>
</security>
</system.webServer>
For the ipAddress attribute I have to use the IP address of my internet connection right? So I went to http://www.whatismyip.com/ and copied the address, but now my website is simply blocking all requests, the allow rule has no effect.
Did I miss something?
UPDATE: The log files revealed that the IPs seen by the web server are not those of the actual clients, but of a proxy in between (Cloudflare). So I tried to solve this by adding enableProxyMode="true", unfortunately this does not fix my issue. Any ideas of how to get IP restrictions to work with Cloudflare?
Just in case someone is trying to setup IP restrictions with Cloudflare: the solution is to not only add your IP to the whitelist, but also all the Cloudflare IPs (taken from here).
<system.webServer>
<security>
<ipSecurity enableProxyMode="true" allowUnlisted="false" denyAction="NotFound">
<!-- YOUR IP -->
<add allowed="true" ipAddress="1.2.3.4" />
<!-- CLOUDFLARE -->
<add allowed="true" ipAddress="199.27.128.0" subnetMask="255.255.248.0" />
<add allowed="true" ipAddress="173.245.48.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="103.21.244.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.22.200.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.31.4.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="141.101.64.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="108.162.192.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="190.93.240.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="188.114.96.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="197.234.240.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="198.41.128.0" subnetMask="255.255.128.0" />
<add allowed="true" ipAddress="162.158.0.0" subnetMask="255.254.0.0" />
<add allowed="true" ipAddress="104.16.0.0" subnetMask="255.240.0.0" />
</ipSecurity>
</security>
</system.webServer>
Not intended as a full answer, just posting a slightly updated list of CloudFlare IPs in useful copy/paste format. See the accepted answer for usage.
<add allowed="true" ipAddress="103.21.244.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.22.200.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.31.4.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="104.16.0.0" subnetMask="255.240.0.0" />
<add allowed="true" ipAddress="108.162.192.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="131.0.72.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="141.101.64.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="162.158.0.0" subnetMask="255.254.0.0" />
<add allowed="true" ipAddress="172.64.0.0" subnetMask="255.248.0.0" />
<add allowed="true" ipAddress="173.245.48.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="188.114.96.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="190.93.240.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="197.234.240.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="198.41.128.0" subnetMask="255.255.128.0" />
<add allowed="true" ipAddress="199.27.128.0" subnetMask="255.255.248.0" />
This is the current list of Cloudflare IPs:
<security>
<ipSecurity allowUnlisted="false">
<!-- CLOUDFLARE -->
<add allowed="true" ipAddress="103.21.244.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.22.200.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="103.31.4.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="104.16.0.0" subnetMask="255.248.0.0" />
<add allowed="true" ipAddress="104.24.0.0" subnetMask="255.252.0.0" />
<add allowed="true" ipAddress="108.162.192.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="131.0.72.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="141.101.64.0" subnetMask="255.255.192.0" />
<add allowed="true" ipAddress="162.158.0.0" subnetMask="255.254.0.0" />
<add allowed="true" ipAddress="172.64.0.0" subnetMask="255.248.0.0" />
<add allowed="true" ipAddress="173.245.48.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="188.114.96.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="190.93.240.0" subnetMask="255.255.240.0" />
<add allowed="true" ipAddress="197.234.240.0" subnetMask="255.255.252.0" />
<add allowed="true" ipAddress="198.41.128.0" subnetMask="255.255.128.0" />
</ipSecurity>
</security>
Since Azure SDK 2.3 it's possible to use Access Control List (ACL) to apply IP restrictions for your cloud services.
Just add the ACL to your ServiceConfiguration.Cloud.cscfg:
<NetworkConfiguration>
<AccessControls>
<AccessControl name="test">
<Rule action="permit" description="test" order="100" remoteSubnet="xxx.xxx.xxx.xxx/32" />
<Rule action="deny" description="test" order="200" remoteSubnet="0.0.0.0/0" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="WebRoleName" endPoint="Endpoint1" accessControl="test" />
</EndpointAcls>
</NetworkConfiguration>

Resources