Discussion:
How to get rid of IIS 400 Bad Request Error
(too old to reply)
stevej99
2008-03-11 23:05:05 UTC
Permalink
I found some bad request error in HTTPERR directory.

One sample url is http://host/%E3%83%90%E3%83%B3%E3%82%AF%E3%82%B7%E3%82%B9%E3%83%86%E3%83%20.htm
(This may not be a good url, but I really don't want visitors only see
Bad Request).

I have rewriter to redirect all url to my php page. But the IIS
reports to the browser "Bad Request" even before reaching the
rewriter. After uninstalling the rewriter, IIS doesn't give 404 error,
always 400 bad request.

Someone told me it may be related to ASP.net. I tried to disable
ASP.NET, uninstall it or set the VerificationCompatibility value in
the registry. None of these works. I don't think it's really related
to ASP.NET

Need help about this. Thanks a lot!

IIS on Web-Server 2003 with latest service packs and paches.

Steve
Tiago Halm
2008-03-11 23:51:05 UTC
Permalink
That is HTTP.sys, the kernel driver which accepts all incoming HTTP calls,
blocking the malformed HTTP request. You should look into the possible
registry settings for the driver to check where/if you can customize its
behavior.

http://support.microsoft.com/kb/820129

Tiago Halm
Post by stevej99
I found some bad request error in HTTPERR directory.
One sample url is
http://host/%E3%83%90%E3%83%B3%E3%82%AF%E3%82%B7%E3%82%B9%E3%83%86%E3%83%20.htm
(This may not be a good url, but I really don't want visitors only see
Bad Request).
I have rewriter to redirect all url to my php page. But the IIS
reports to the browser "Bad Request" even before reaching the
rewriter. After uninstalling the rewriter, IIS doesn't give 404 error,
always 400 bad request.
Someone told me it may be related to ASP.net. I tried to disable
ASP.NET, uninstall it or set the VerificationCompatibility value in
the registry. None of these works. I don't think it's really related
to ASP.NET
Need help about this. Thanks a lot!
IIS on Web-Server 2003 with latest service packs and paches.
Steve
stevej99
2008-03-12 01:11:33 UTC
Permalink
Thank you! Set AllowRestrictedChars to 1 did solve the problem.
David Wang
2008-03-12 03:24:09 UTC
Permalink
Post by stevej99
Thank you! Set AllowRestrictedChars to 1 did solve the problem.
Personally, I think it is a bad idea to turn off verifications inside
of HTTP.SYS that reject requests with 400 Bad Request. Why?

Because people sending bad requests to you are hardly the visitors you
care about being "nice". You don't want those hackers to take up more
CPU cycles and computer resources with Bad requests that get through
to user-mode, and HTTP.SYS rejects a lot of them right at the door. By
letting these values into the user-mode worker process, you simply
increase the chances of your own code or some other server-side add-on
at being attacked/hack.

And if there URLs come from links that you control -- you should fix
your pages, not make the error pages look nicer.

In short, trying to look pretty for the hacker attacking you while
making yourself more vulnerable to their attacks because of vanity
over "400 Bad request" -- simply does not look like a win-win for you,
in my opinion. But hey, it's your website. PHP is so secure and
unhackable that you can risk this... NOT.


//David
http:/ww3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
c***@gmail.com
2012-08-05 01:06:12 UTC
Permalink
b***@gmail.com
2015-04-03 17:53:59 UTC
Permalink
Post by stevej99
I found some bad request error in HTTPERR directory.
One sample url is http://host/%E3%83%90%E3%83%B3%E3%82%AF%E3%82%B7%E3%82%B9%E3%83%86%E3%83%20.htm
(This may not be a good url, but I really don't want visitors only see
Bad Request).
I have rewriter to redirect all url to my php page. But the IIS
reports to the browser "Bad Request" even before reaching the
rewriter. After uninstalling the rewriter, IIS doesn't give 404 error,
always 400 bad request.
Someone told me it may be related to ASP.net. I tried to disable
ASP.NET, uninstall it or set the VerificationCompatibility value in
the registry. None of these works. I don't think it's really related
to ASP.NET
Need help about this. Thanks a lot!
IIS on Web-Server 2003 with latest service packs and paches.
Steve
GET RID OF400BAD REQUEST OR GOOD BY GOOGLE

Loading...