I am looking at my IIS web log and notice some log records with an sc-status of 302.
I did research and am only more confused.
At first, it looks simple, if a little vague.
"This is an example of industry practice contradicting the standard.
[...] Therefore, HTTP/1.1 added status codes 303 and 307 to
distinguish between the two behaviours.[25] However, some Web
applications and frameworks use the 302 status code as if it were the
303."
While I understand the concept, I am not sure which meaning to apply when viewing an IIS web log. Do I treat the 302 status code as a 303 ("See Other" -- a way to redirect to a new URL) or as a 307 ("Temporary Redirect")?
307 causes a redirect using the same "verb" that the original url was requested with. That allows POST data to be preserved. By contrast, 301/302 will always cause a GET of the new url, losing any POST data that may have been present.
As well, with 301/302, the browser can cache the response and always go to the new url, bypassing the original url. 307 requires that the original URL be hit again, even if it does end up being another redirect.
Related
I had injected some urls to crawl that is one round and I found some urls as db_redir_temp.
{"url":"http://www.universityhealth.org","pst":"temp_moved(13), lastModified=0: https://www.universityhealth.org/"}
{"url":"http://silvercappartners.com","pst":"temp_moved(13), lastModified=0: http://silvercappartners.com/index.html"}
may i know that the http://www.universityhealth.org is pointing to same url why it is showed db_redir_temp.
This url is pointing to http://silvercappartners.com to this url http://silvercappartners.com/index.html
should I consider the pst column will give the redirected url page.
The two URLs
http://www.universityhealth.org
https://www.universityhealth.org/
differ in one important point, the protocol (or scheme) - http vs. https. These are not always equivalent, eg. a web server may not support https. The other point (the trailing /) is irrelevant, the HTTP request for both the empty path and the server root path is GET / HTTP/1.1 (maybe using a different protocol version).
But true reason is simply that the server responded with HTTP/1.1 302 Found which is a redirect, see HTTP 302.
The "pst" or "protocol status" metadata field may include a message. For redirects it contains the redirect target.
Here's the thing. I'm trying to protect my server from XSS Attacks (And so far with no trouble at all, changing HTTP response Headers and other things) But a Generic vulnerability is still going on, and it happens because in the URL some javascript code can be inserted
(i.e. http://myhost.com/thisfile.jsp?<script>alert("hello")</script> )
when I type this, the response is HTTP 202 OK Status (It redirects to my 404 page). But I need to do one of these actions:
throw another HTTP Status (405, 500, Or any status giving an error)
Throw an error.
What can I do? Is there any way to strip the tags or recognize them via web.config file to throw an error?... I've been trying with the rewrite module and the request filtering with no success at all.
Thank you so much in advance, regards.
Thank you... I solved it and it was so easy (I can't believe i didn't try that first).
I went to IIS manager and then click on request filtering.
Then, on the "Rules" tab I added a "Filtering Rule". Applying to all file extensions and in the field "Deny Query String" I added <script>, <scr+ipt>, etc. So when the URL comes with a tag like that the connection is closed without showing 404 or any error page.
It worked and now the vulnerability scanner doesn't show any risk.
In addition to noindex and other headers, I want to send 403 status with every request on a dev server we use. I have put an .htaccess file in the home dir (above the web root) so that every request is tagged, and all seems to be working well, minus the 200 OK status.
Is there a way that .htaccess can set status as 403 to all requests without actually triggering the forbidden page mechanisms? This would work similar to how php can do it with header('HTTP/1.1 403 Forbidden');. I don't wanna have to worry about putting header() style fixes all over the stuff below in the folders....would be far easier and more consistant via .htaccess (with ability to tag assets to boot).
Does the browser make a new request to the location given in the header?
I ask because I was playing around with Fiddler and noticed when I make a request to a page that returns a 302 HTTP code, there are two entries in the network log. The first is to the initial URL, and the second is to the new location given in the response header of the first request.
I'm just curious if web browsers work the same way, but just hide the first response from the user.
Yes, the browser works in very much similar fashion. You can try requesting a url in Chrome, possibly the one you tried in Fiddler. The Network Log of chrome would show you two requests.
The RFC description of HTTP status code can be read over here,
Quoting from there only, regarding the 302 status code:
RFC 1945 and RFC 2068 specify that the client is not allowed
to change the method on the redirected request. However, most
existing user agent implementations treat 302 as if it were a 303
response, performing a GET on the Location field-value regardless
of the original request method. The status codes 303 and 307 have
been added for servers that wish to make unambiguously clear which
kind of reaction is expected of the client.
When a server responds with a 302 status code, it send back the newer url (to which the current requested old url is to be redirected) to the requesting user-agent (likely a browser). Now, as per the RFC document, the user agent must not request the newer url for 302 status code. Yet most of them do make a second request.
Hope-this-helps.
The objective is to redirect a user after he/she saves a form, to a success page. The question is what's the best redirect method - redirect code - that should be used?
HTTP Status Codes
Technically, I think 303 is most appropriate, assuming that you always want the redirect to be executed as a GET, per the spec.
However, that won't be supported by HTTP 1.0 clients. All modern browsers should be good with HTTP 1.1 though.
302 redirects will work fine, but if browsers ever decide to implement the spec correctly (which is unlikely at this point), this may break apps because technically, it's supposed to use the same method as the original request (so if you post, it will post for the redirect as well). In fact, most web frameworks' built-in redirect functionality uses 302 redirects, not 303's, but that's just because the browsers have created a de facto standard.