How to get rid of IIS 400 Bad Request Error

TheMSsForum.com: The Microsoft Software Forum

I found some bad request error in HTTPERR directory.

One sample url is http://host/%E3%83%90%E3%83%B3%E3%82%AF%E3%82%B7%E3%82%B9%E3%83%86%E3%83%20.htm
(This may not be a good url, but I really don't want visitors only see
Bad Request).

I have rewriter to redirect all url to my php page. But the IIS
reports to the browser "Bad Request" even before reaching the
rewriter. After uninstalling the rewriter, IIS doesn't give 404 error,
always 400 bad request.

Someone told me it may be related to ASP.net. I tried to disable
ASP.NET, uninstall it or set the VerificationCompatibility value in
the registry. None of these works. I don't think it's really related
to ASP.NET

Need help about this. Thanks a lot!

IIS on Web-Server 2003 with latest service packs and paches.

Steve
Top

Re: How to get rid of IIS 400 Bad Request Error by Tiago

Tiago
Tue Mar 11 18:51:05 CDT 2008

That is HTTP.sys, the kernel driver which accepts all incoming HTTP calls,
blocking the malformed HTTP request. You should look into the possible
registry settings for the driver to check where/if you can customize its
behavior.

http://support.microsoft.com/kb/820129

Tiago Halm

"stevej99" <stevej994431@gmail.com> wrote in message
news:1205f483-ad34-4a12-98d8-d275e26f923d@p25g2000hsf.googlegroups.com...
>I found some bad request error in HTTPERR directory.
>
> One sample url is
> http://host/%E3%83%90%E3%83%B3%E3%82%AF%E3%82%B7%E3%82%B9%E3%83%86%E3%83%20.htm
> (This may not be a good url, but I really don't want visitors only see
> Bad Request).
>
> I have rewriter to redirect all url to my php page. But the IIS
> reports to the browser "Bad Request" even before reaching the
> rewriter. After uninstalling the rewriter, IIS doesn't give 404 error,
> always 400 bad request.
>
> Someone told me it may be related to ASP.net. I tried to disable
> ASP.NET, uninstall it or set the VerificationCompatibility value in
> the registry. None of these works. I don't think it's really related
> to ASP.NET
>
> Need help about this. Thanks a lot!
>
> IIS on Web-Server 2003 with latest service packs and paches.
>
> Steve


Top

Re: How to get rid of IIS 400 Bad Request Error by stevej99

stevej99
Tue Mar 11 20:11:33 CDT 2008

Thank you! Set AllowRestrictedChars to 1 did solve the problem.
Top

Re: How to get rid of IIS 400 Bad Request Error by David

David
Tue Mar 11 22:24:09 CDT 2008

On Mar 11, 6:11=A0pm, stevej99 <stevej994...@gmail.com> wrote:
> Thank you! Set AllowRestrictedChars to 1 did solve the problem.


Personally, I think it is a bad idea to turn off verifications inside
of HTTP.SYS that reject requests with 400 Bad Request. Why?

Because people sending bad requests to you are hardly the visitors you
care about being "nice". You don't want those hackers to take up more
CPU cycles and computer resources with Bad requests that get through
to user-mode, and HTTP.SYS rejects a lot of them right at the door. By
letting these values into the user-mode worker process, you simply
increase the chances of your own code or some other server-side add-on
at being attacked/hack.

And if there URLs come from links that you control -- you should fix
your pages, not make the error pages look nicer.

In short, trying to look pretty for the hacker attacking you while
making yourself more vulnerable to their attacks because of vanity
over "400 Bad request" -- simply does not look like a win-win for you,
in my opinion. But hey, it's your website. PHP is so secure and
unhackable that you can risk this... NOT.


//David
http:/ww3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Top