ISA 2006 反向代理问题上的 DotNetOpenAuth OpenID
我正在尝试托管我的网站,该网站在 ISA 2006(反向代理)后面使用 DotNetOpenAuth (OpenID),并在通过提供商(例如 Google)进行身份验证后,返回一个 URL 中包含 %253A 的 URL。然而,ISA HTTP 过滤器拒绝该请求。
我需要做的是,在 ISA Web 发布规则上,右键单击 >配置HTTP策略属性>取消选中“验证标准化”并且它起作用了。
- 这通常是 ISA 2006 上的问题吗?其他防火墙是否也存在类似问题?
- 或者,这是 OpenID 或 DotNetOpenAuth 问题吗?
- 禁用 ISA 规范化检查是否安全?
根据 MSDN,引用“Web 服务器接收 URL 编码的请求。这意味着某些字符可能会被替换为百分号 (%) 后跟特定数字。例如,%20 对应于空格,因此请求http://myserver/My%20Dir/My%20File.htm 是相同的作为对 http://myserver/My Dir/My File.htm 的请求 规范化是解码 URL 的过程 -编码的请求。 由于 % 可以进行 URL 编码,因此攻击者可以向基本上是双重编码的服务器提交精心设计的请求。如果发生这种情况,Internet 信息服务 (IIS) 可能会接受原本会因无效而拒绝的请求。当您选择“验证规范化”时,HTTP 过滤器会对 URL 进行两次规范化。如果第一次规范化后的 URL 与第二次规范化后的 URL 不同,则过滤器会拒绝该请求。这可以防止依赖双编码请求的攻击。 请注意,虽然我们建议您使用验证标准化功能,但它也可能会阻止包含 % 的合法请求。”
I am trying to host my site that uses DotNetOpenAuth (OpenID) behind ISA 2006 (reverse proxy), and after it authenticated with a provider (such as Google), and it returns with a URL with %253A in the URL. However, ISA HTTP filter rejects the request.
What I need to do is, on ISA web publishing rule, right click > config HTTP policy properties > uncheck "Verify Normalization" and it worked.
- Is this a problem on ISA 2006 generally? Are other firewalls having similar problems?
- Or, is it an OpenID or DotNetOpenAuth issue?
- Is it safe to disable Normalization checking on ISA?
According to MSDN, quote "Web servers receive requests that are URL encoded. This means that certain characters may be replaced with a percent sign (%) followed by a particular number. For example, %20 corresponds to a space, so a request for http://myserver/My%20Dir/My%20File.htm is the same as a request for http://myserver/My Dir/My File.htm. Normalization is the process of decoding URL-encoded requests.
Because the % can be URL encoded, an attacker can submit a carefully crafted request to a server that is basically double-encoded. If this occurs, Internet Information Services (IIS) may accept a request that it would otherwise reject as not valid. When you select Verify Normalization, the HTTP filter normalizes the URL two times. If the URL after the first normalization is different from the URL after the second normalization, the filter rejects the request. This prevents attacks that rely on double-encoded requests.
Note that while we recommend that you use the Verify Normalization function, it may also block legitimate requests that contain a %."
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
OpenID 消息的请求中通常可能包含双重编码的 URL。因此,根据您提供的文档,我想说您必须在反向代理上禁用“验证标准化”。
OpenID messages may often contain double-encoded URLs in their requests. So from the documentation you provided, I'd say you must disable "Verify Normalization" on the reverse proxy.