IIS Home @ it-notebook.org

IIS 6.0 encodes certain characters in a redirection

(Kristofer Gafvert, March 12, 2005)

When IIS 6.0 advises the client that a requested page is to be found elsewhere (a redirection), certain characters are encoded in the referencing URL. This is to prevent cross site scripting. The underscore character is encoded to %5F, and the hyphen character is encoded to %2D. According to RFC 3986 (published 2005) these characters are unreserved, and "should not" (for consistency) be encoded by URI producers. In previous RFCs (RFC 1738 and RFC 2396) these characters "may be encoded".

IIS replies with a redirection status code when (among others) the trailing slash is forgotten in an URL. This is called "courtesy redirect". When IIS gets a request for:


it considers "folder-1" to be a file name without extension. IIS therefore looks for a file with the name "folder-1", and when it cannot find a file with this name, it assumes that the client wanted the folder named "folder-1" instead. In this case, IIS replies with a 301 "Moved Permanently" (IIS 6.0) or 302 "Object Moved" (previous versions of IIS). If this folder contains an underscore, or hyphen, IIS 6.0 will encode this character. The above request would therefore result in this reply from IIS 6.0 (from WFetch):

RESPONSE: **************\nHTTP/1.1 301 Moved Permanently\r\n
Content-Length: 158\r\n
Content-Type: text/html\r\n
Location: http://www.gafvert.info/folder%2D1/\r\n
Server: Microsoft-IIS/6.0\r\n
X-Powered-By: ASP.NET\r\n
Date: Sat, 12 Mar 2005 10:14:07 GMT\r\n
<head><title>Document Moved</title></head>\n<body><h1>Object Moved</h1>This document may be found <a HREF="http://www.gafvert.info/folder%2D1/">here</a></body>

This behavior should not cause any problems, because "when found in a URI, should be decoded to their corresponding unreserved characters by URI normalizers." (RFC 3986, section 2.3). That is, the hyphen character (-) and %2D should be treated equally. IIS 6.0 does this (follows the RFC), but other components (for example custom written ISAPI filters or applications) may not do this, and can cause problems (they are not following the RFC).

This encoding behavior cannot be disabled, but it can be worked around. The best work around is to not use these characters at all, or if this is happening in a "courtesy redirection", make sure you use the trailing slash. Another work around is developed by Olaf Lder, which is an ISAPI filter changing the URL back again.


Paper: HTML Code Injection and Cross-site scripting
RFC 3986
RFC 1738
RFC 2396
KB Article 298408, IIS generates courtesy redirect when folder without trailing slash is requested
ISAPI work around by Olaf Lder