Double-Encoded requests

Ensure that the Double-Encoded requests are rejected. This request filter feature prevents attacks that rely on the double-encoded requests and applies if an attacker submits a double-encoded request to IIS. When the double-encoded requests filter is enabled, IIS goes through a two iteration process of normalizing the request. If the first normalization differs from the second, the request is rejected and the error code is logged as a 404.11. The double-encoded requests filter is the VerifyNormalization option in UrlScan. It is recommended that double-encoded requests be rejected.

The allowDoubleEscaping request filter can be set for a server, website, or an application using the IIS Manager GUI, the AppCmd.exe commands in a command-line window, or directly editing the configuration files.

To configure using the IIS Manager GUI:

  1. Open the Internet Information Services (IIS) Manager.
  2. In the Connections pane, select the site, application or directory to be configured.
  3. In the Home pane, double-click Request Filtering.
  4. Click Edit Feature Settings in the Actions pane.
  5. Under the General section, clear the Allow double escaping check box

If a file name in a URL includes + then the allowDoubleEscaping must be set to true to allow functionality.