ASP.NET Forms vulnerability does not only affect Forms Authentication!

It gets worse and worse: As Lorenzo Barbieri states in is weblog (, the \- and %5c-vulnerability does not only affect Forms Authentication: It also affects Windows Authentication!

If you secure a path - say: http://localhost/site/secure/default.aspx - and the client (=browser) tries to access the resource using Backslashes or (even worse) the hexadecimal representation (http://localhost/site/secure\default.aspx or http://localhost/site/secure%5cdefault.aspx or a mixture of it: http://localhost/site/secure\%5cdefault.aspx), IIS does not reject the request, but allows you to enter the resource without any authentication. This affects every pre-Windows 2003 system without URLScan and / or IIS Lockdown tool.

To protect yourself from this type of vulnerability, install URLScan and execute IIS Lockdown tool!

Additional resources:

1 Comment

Comments have been disabled for this content.