0

We have a C# MVC application that contains a call to an endpoint that is formatted like this

VerifyMe/12345/Password:Reset

On 2 servers, both with no Request Filtering set and our application having no web.config entry for httpRuntime requestPathInvalidCharacters, one server (IIS 10) is allowing the request through and one server (IIS 8) is returning a 400 Bad Request (due to the colon)

I cannot find anywhere that talks about the valid characters changing between the 2 versions

Is there anything else that could be making the IIS 8 server return a 400 for that URL?

Mike
  • 2,391
  • 6
  • 33
  • 72
  • Windows HTTP API is where incoming requests are parsed and handled initially after landing on a Windows machine, and due to security consideration its behaviors can change from time to time, https://learn.microsoft.com/en-US/troubleshoot/developer/webapps/aspnet/site-behavior-performance/error-logging-http-apis – Lex Li Sep 08 '22 at 02:06

1 Answers1

0

The root cause of the problem is the colon, which on Windows (and DOS) based systems is a reserved character for file structures and can give you all kinds of problems.

It seems that ASP.net doesn't allow a colon before "?", even though it is encoded as %3A in the URL. You can refer to this thread.

YurongDai
  • 1,362
  • 1
  • 2
  • 7