← Back to Microsoft IIS 10.0 Server Security Technical Implementation Guide

V-268325

CAT II (Medium)

The Request Smuggling filter must be enabled.

Rule ID

SV-268325r1025163_rule

STIG

Microsoft IIS 10.0 Server Security Technical Implementation Guide

Version

V3R7

CCIs

CCI-000381

Discussion

Security scans show Request Smuggling vulnerability on IIS server. The vulnerability allows a remote attacker to perform HTTP request smuggling attack. The vulnerability exists due to the way that HTTP proxies (front-end) and web servers (back-end) that do not strictly adhere to RFC standards handle sequences of HTTP requests received from multiple sources. A remote attacker can send a specially crafted request to a targeted IIS Server, perform HTTP request smuggling attack and modify responses or retrieve information from another user's HTTP session.

Check Content

Open Registry Editor.
Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters"
Verify "DisableRequestSmuggling” is set to "1".

If REG_DWORD DisableRequestSmuggling is not set to 1, this is a finding.

Fix Text

Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters".
Create REG_DWORD "DisableRequestSmuggling” and set it to "1".

Note: This can be performed multiple ways; this is an example.