Steve Gibson and his broken IIS Condom


Steve Gibson has a thing for re-inventing the wheel. He writes software that claims to do miracles of security, when in reality they are poor implementations of technology that has been around for a while. In 2001 he wrote an "Advanced IIS Filter" to protect Microsoft IIS installations:

Advanced IIS Filter -- preemptive security for IIS

Following the "IIS Worm Wars" of 2001, it was clear that the world needed to be protected from future "Malicious URL" exploits against IIS. So I created a prophylactic filter (APF) to examine and discard bogus URLs before they could touch and exploit IIS. Here's a sample bogus URL aimed at our hybrid, APF-protected, web server:

As with most of his amazing and 'revolutionary' ideas, this protection mechanism was bypassed within minutes by Marc Maiffret, using a common attack that had been around for years. In his web form post about his "new super cool security system":

A valid request URL like this one will bring up the content:

But do something whacky, like try to back up the directory tree, screw around with "double URL decoding" or UNICODE, or mess with the valid syntax for passing CGI parameters ...

From Maiffret:

"In the above example if you click the second link it takes you to a page that says "Invalid Request Detected & Blocked" because his uber cool security tool detected that two &'s is a bad thing and therefore filtered the request. However if you send a request like which is %u encoded... he doesn't handle %u so it gets past his dumb crap."

main page ATTRITION feedback