URL-Encoded Angle Brackets in URL?
Question
I'm working on a legacy app and for whatever reason it's trying to stuff URL-encoded angle brackets into a URL. For example, to get a URL ending with "<sometext>":
http://somesite.com/somefolder/%3csometext%3e
When the above URL-encoded URL is fetched, it generates a 400 error (Bad Request) on IIS6 and I can't quite figure out why. Probably something simple, but I'm stumped.
Ideas? Thanks.
Solution
You must have URLScan tool installed (http://technet.microsoft.com/en-us/security/cc242650.aspx) which disallows angle brackets (in any form).
According to this,
The new default urlscan.ini contains a rule in it to protect against these sort of patterns and the rule is just simply:
[DenyQueryStringSequences]
<
>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow