IIS Warning 1309 with "dangerous Request.Path value" and web site fails to load until site restart - ToddMaxey/Technical-Documentation GitHub Wiki

Issue: Web service stops serving, and an Event ID 1309 is logged showing a passed URL that looks like a CRLF injection attack attempt.

Reviewed the one of the IIS servers for web shells in the website folders and reviewed the IIS web site logs and found nothing more.

Machine as stock Defender running. I suggested they use Defender EOP to protect this endpoint since it is interfaced with the Internet.

We discussed some possible remediations and I noted they should discuss this with an IIS engineer.

The Warning 1309 event with the "dangerous Request.Path value" in IIS is often triggered when a potentially harmful value is detected in the request path. This is a security measure to prevent attacks such as CRLF injection.

Here are a few ways to prevent this warning:

1. Modify the web.config file: You can modify the web.config file to change the requestPathInvalidCharacters attribute in the httpRuntime section. Here's an example of how you can do this:

`xml

<system.web>

</system.web>`

This configuration sets the requestPathInvalidCharacters attribute to an empty string, which means no characters are considered invalid. The validateRequest attribute is set to false, which disables request validation.

2. URL Rewrite: If the issue is caused by certain characters in the URL, you can use the URL Rewrite module in IIS to rewrite the URLs.

To set up and enable URL Rewrite in IIS, you can follow these steps:

1. Check if the module is installed. You can do this by opening your Internet Information Services (IIS) Manager and selecting any of your websites under Sites in the Connections panel. If you don’t see the module in the list, you’ll need to install it first.

2. If the module is not installed, you can download the URL Rewrite Module for IIS 7 (and later) and follow the prompts to install the module.

3. After installation, restart your IIS Manager, and you should now have the module available.

4. To redirect URL to use HTTPS to secure a website, open your IIS Manager and click on Default Web Site at the left panel. Double-click on the URL Rewrite module to add rewrite rules.

5. Click on Add Rule(s) option at the right panel, and a pop-up window appears where you’ll select a rule template. Select Blank rule and click OK.