How to keep escape characters of slash ‘/’ in URL when using IIS ARR


 

Recently I encountered an issue that customer would like to keep Escape Characters (in this case, it’s slash ‘/’, which is encoded to ‘%2F’) in URL, when using IIS ARR to forward the request to backend server. For example, if the Browser send a request containing /a%2Fb to IIS, then ARR would forward the request to backend server, you may found backend server would receive the request being replaced to /a/b.

Actually, the reason is URL Rewrite performs matching and rewrite based on the cooked URL (canonical form, decoded) provided by the underlying HTTP layer (HTTP.sys). When process decoded URL, URL Rewrite has no knowledge on whether the original form of ‘/’ is “%2F” or it’s just a regular delimiter. As a consequence, when URL Rewrite encode the final forward URL for ARR, it just leaves ‘/’ as it is. This is a default behavior.

Workaround

==========

It would be best to avoid this kind of URL. But if your website must send request containing ‘%2F’, here is a workaround: USING DOUBLE ESCAPE.

In detail, set system.webServer/security/requestFiltering/allowDoubleEscaping to true, and modify the original URL to /a%252Fb (encode ‘%’ to ‘%25’). After that, the backend server could receive the request as /a%2Fb.

More references:

https://blogs.iis.net/nazim/use-of-special-characters-like-in-an-iis-url

https://blogs.iis.net/wadeh/how-iis-blocks-characters-in-urls?CommentPosted=true#commentmessage

Thanks,

Cynthia Jiang from DSI team


Comments (0)

Skip to main content