Redirect 403 forbidden error message to 404 in IIS

Question

If we post the URL by appending the text "/../../../../ " at the end. IIS returns a "403 - Forbidden" error in the response header.

Is there any way to configure IIS to return a "404 - Not Found" error instead of a "403"?

This is an asp.net web application.

A security scan of our site noted that returning "403" could assist a malicious person mapping our site; had not thought of that before, but I have to admit it makes sense.

This question is a big vague, can you explain what you are trying to achieve? What are you running on IIS, what have you tried and what do you expect to see? Providing a bit more information will help others solve your problem. — RedCrusador, Feb 14 '20 at 10:27
Learn the substatus code first, https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0 — Lex Li, Feb 14 '20 at 14:09

lucasdclopes · Answer 1 · 2020-02-18T18:37:08.520

I Had to do the same thing because of a security scan too. Here is my solution, do this on your web.config file. In my case I had custom html pages for error codes, witch I believe is a good practice.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <directoryBrowse enabled="false" />
        <httpErrors errorMode="Custom">
            <remove statusCode="404" />
            <error statusCode="404" path="/physical_path_to_your_custom_404_page_relative_to_the_web.config_file/404.html" responseMode="Redirect" />
            <error statusCode="403" subStatusCode="14" path="/physical_path_to_your_custom_404_page_relative_to_the_web.config_file/404.html" responseMode="Redirect" />
        </httpErrors>
    </system.webServer>
</configuration>

With that, both the real 404 errors and 403.14 (.14 is the specific code for reaching a real path but with browsing denied) errors will redirect to a 404 error page. There will be no 403 to be seen, so for the end user both are 404 errors.

edit: you may need to install the "http errors" feature for this to work.

Jokies Ding · Answer 2 · 2020-02-17T13:25:59.410

0

Did you Post a request like "http://mydomain/../../../../" and receive 403 error?

If so, you could probably notice that its RESPONSE SERVER is Server: Microsoft-HTTPAPI/2.0 instead of Server: Microsoft-IIS/7.5. It means the request get blocked in http.sys level. So I'm afraid we can't do anything in IIS.

We can only rewrite 403 to 404 with URL rewrite when the IIS module return 403 error executed after URL rewrite module.

Edit:

This rule works fine on my side.

edited Feb 17 '20 at 13:25

answered Feb 17 '20 at 05:00

Jokies Ding

3,374
1
5
10

Yes i am facing the same issue. I have tried with URL Rewrite but not working. can you provide any solution or Is there any option to Hide Server: Microsoft-HTTPAPI/2.0 information. – Vijay Kumar Feb 17 '20 at 10:46
@VijayKumar I'm sorry that response status can't be rewritten in HTTP.sys level. If you want to remove it, please add a DWORD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\DisableServerHeader=2. For IIS, you could try URL rewrite https://stackoverflow.com/questions/1178831/remove-server-response-header-iis7 – Jokies Ding Feb 17 '20 at 10:59
I have tried below rewrite rules still not working. `code` – Vijay Kumar Feb 17 '20 at 12:31
`code` – Vijay Kumar Feb 17 '20 at 12:34
@VijayKumar Did you try the outbound rule with your 403 error? If so, URL rewrite will not work. You need to try it on a request that can reach IIS pipeline. Failed request tracing can help you narrow down why rewrite rule is not working.https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-failed-request-tracing-to-trace-rewrite-rules – Jokies Ding Feb 17 '20 at 13:20

Redirect 403 forbidden error message to 404 in IIS

2 Answers2