AnsweredAssumed Answered

Slow HTTP POST vulnerability

Question asked by seungik lee on Apr 10, 2018
Latest reply on Apr 10, 2018 by seungik lee

Hello, experts.

 

Recently I received a scan report from Qualys detecting vulnerability from Slow Http Post( Qid.150085 ).
My server is Windows Server 2012.
The website was developed by classic ASP ( using HTTPS ).
The website has an attachment (10 megabytes) upload feature.

 

Capture Screen is the current IIS settings value.


Can I fix it only with IIS settings?

 

 

web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<httpCookies domain="mysitedomain" httpOnlyCookies="true" requireSSL="true" />
</system.web>
<system.applicationHost>
<webLimits connectionTimeout="00:00:30"
dynamicIdleThreshold="150"
headerWaitTimeout="00:00:30"
minBytesPerSecond="250"
/>
</system.applicationHost>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.asp" />
<add value="index.html" />
<add value="Default.asp" />
</files>
</defaultDocument>
<handlers>
<remove name="ASPClassic" />
<add name="ASPhtml" path="*.html" verb="GET,POST,HEAD" modules="IsapiModule" scriptProcessor="C:\Windows\SysWOW64\inetsrv\asp.dll" resourceType="File" requireAccess="Script" preCondition="bitness32" />
<add name="ASPClassic" path="*.asp" verb="GET,HEAD,POST" modules="IsapiModule" scriptProcessor="C:\Windows\SysWOW64\inetsrv\asp.dll" resourceType="File" requireAccess="Script" preCondition="bitness32" />
</handlers>
<httpErrors errorMode="Custom">
<remove statusCode="502" subStatusCode="-1" />
<remove statusCode="501" subStatusCode="-1" />
<remove statusCode="500" subStatusCode="-1" />
<remove statusCode="412" subStatusCode="-1" />
<remove statusCode="406" subStatusCode="-1" />
<remove statusCode="405" subStatusCode="-1" />
<remove statusCode="401" subStatusCode="-1" />
<remove statusCode="403" subStatusCode="-1" />
<remove statusCode="404" subStatusCode="-1" />
<error statusCode="404" prefixLanguageFilePath="" path="/error/error.html" responseMode="ExecuteURL" />
<error statusCode="403" prefixLanguageFilePath="" path="/error/error.html" responseMode="ExecuteURL" />
<error statusCode="401" prefixLanguageFilePath="" path="/error/error.html" responseMode="ExecuteURL" />
<error statusCode="405" prefixLanguageFilePath="" path="/error/error.html" responseMode="ExecuteURL" />
<error statusCode="406" prefixLanguageFilePath="" path="/error/error.html" responseMode="ExecuteURL" />
<error statusCode="412" prefixLanguageFilePath="" path="/error/error.html" responseMode="ExecuteURL" />
<error statusCode="500" prefixLanguageFilePath="" path="/error/error.html" responseMode="ExecuteURL" />
<error statusCode="501" prefixLanguageFilePath="" path="/error/error.html" responseMode="ExecuteURL" />
<error statusCode="502" prefixLanguageFilePath="" path="/error/error.html" responseMode="ExecuteURL" />
</httpErrors>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="10240000" maxUrl="2048" maxQueryString="1024">
<headerLimits>
<add header="Content-type" sizeLimit="100" />
</headerLimits>
</requestLimits>
</requestFiltering>
</security>

<rewrite>
<outboundRules>
<rule name="Add HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; HttpOnly" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; HttpOnly" />
</rule>
<rule name="Add Secure">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" />
<conditions>
<add input="{R:0}" pattern="; Secure" negate="true" />
</conditions>
<action type="Rewrite" value="{R:0}; Secure" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>

 

 



Attachments

Outcomes