IIS 7.5 and IIS 8.0 European Hosting

BLOG about IIS 7.5 Hosting, IIS 8.0 Hosting and Its Technology - Dedicated to European Windows Hosting Customer

European IIS 10 Hosting - HostForLIFE.eu :: How to Fixing Common Errors While Hosting Web API In IIS?

clock February 9, 2017 08:46 by author Peter

While publishing Web API using Visual Studio, you may run into some errors. This article helps to provide the solution to the possible errors that will occur. When you publish the Web API from Visual Studio, the following error may possibly come up.

Output class library not set error while hosting web API
OutputPath property is not set for project 'Company.Directory.Web.csproj'. Please check to make sure that you have specified a valid combination of Configuration and Platform for this project. Configuration=Release Platform='AnyCPU'. You may be seeing this message because you are trying to build a project without a solution file, and have specified a non-default Configuration or Platform that doesn't exist for this project.

Solution

When you try to publish for the first time, one of the reasons for the above error to pop up is due to the incorrect settings in .csproj.user file of the solution.

Open the .csproj.user file in the solution and change the settings in the file.

Add the following code in the file.
    <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' "> 
        <DebugSymbols>true</DebugSymbols> 
        <DebugType>full</DebugType> 
        <Optimize>false</Optimize> 
        <OutputPath>bin\</OutputPath> 
        <DefineConstants>DEBUG;TRACE</DefineConstants> 
        <ErrorReport>prompt</ErrorReport> 
        <WarningLevel>4</WarningLevel> 
    </PropertyGroup> 
    <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' "> 
        <DebugType>pdbonly</DebugType> 
        <Optimize>true</Optimize> 
        <OutputPath>bin\</OutputPath> 
        <DefineConstants>TRACE</DefineConstants> 
        <ErrorReport>prompt</ErrorReport> 
        <WarningLevel>4</WarningLevel> 
    </PropertyGroup> 
    <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Dev|AnyCPU'"> 
        <DebugSymbols>true</DebugSymbols> 
        <OutputPath>bin\</OutputPath> 
        <DefineConstants>DEBUG;TRACE</DefineConstants> 
        <DebugType>full</DebugType> 
        <PlatformTarget>AnyCPU</PlatformTarget> 
        <ErrorReport>prompt</ErrorReport> 
        <CodeAnalysisIgnoreBuiltInRuleSets>false</CodeAnalysisIgnoreBuiltInRuleSets> 
        <CodeAnalysisIgnoreBuiltInRules>false</CodeAnalysisIgnoreBuiltInRules> 
        <DeployIisAppPath>Port 80/directory/dev</DeployIisAppPath> 
    </PropertyGroup> 

Solution to 500.19 internal server error while hosting Web API


Solution

The above error will pop up when you do not have the permission to access the folder/web.config file.

  •     In Windows Explorer, locate the web.config file that is associated with the Web site.
  •     Right-click the web.config file
  •     Click Properties.
  •     Click the Security tab, and then click Edit.
  •     Click Add.
  •     In the Enter the object names to select box, IUSR, click Check Names, and then click OK.
  •     Click to select the Read check box, and then click OK.
  •     In the Web.config Properties dialog box, click OK.


Solution to 500.21 internal server error while hosting Web API


Solution

One of the reasons for the error 500.21 Internal Server Error to pop up, is when ASP.NET is not installed completely in your system.
    Run the command prompt as administrator.
    Type the line in the command prompt below any one.

    %windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i
    or
    %windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -I


Solution to login for application pool access error is denied while hosting Web API


Solution

Create the application pool in IIS by selecting the .NET version which your project supports. When creating the site in the default application in IIS for Web API, select the application pool which you have created. The above error will pop up if the application pool which you have created has a built in account selected.

For reference - go to: "Advanced Setting->Process->Identity” of the application pool which you have created. Change the application pool identity to custom account and click on set button to provide the account credentials. Once you have set the setting, refresh/reset IIS to resolve the above error.

Access Denied Error while hosting Web API

Solution
The above error will pop up if the solution directory (folder) doesn’t have required permissions.
To resolve the issue follow the steps given in “500.19 : internal server error”.

 



European IIS 10 Hosting - HostForLIFE.eu :: How to Block SQL Injection On IIS 7 And Later Versions?

clock January 23, 2017 10:06 by author Peter

The discussion is specific to IIS 7 and later versions. Let's start with version IIS 7.0. It has a built-in feature that is able to filter HTTP requests. If a request is found to have contents which are unacceptable to process the request, then it will block such request there, before proceeding to process a request by a web application. This feature is useful as a mitigation technique, for such SQL Injection vulnerabilities.

Prerequisite

At first, verify the IIS version that you are using currently. If you are using earlier than IIS 7.0, then update with the latest version before applying the following configuration.

Configuring the Request Filter

To create a global filtering rule for SQL Injection, we should follow the below steps:

Step 1
Open the run window by pressing keyboard key Windows key + R and copy and paste the following code
%systemroot%\system32\inetsrv\config\applicationhost.config
 
It will open the applicationhost.config file.

Step 2

In the applicationhost.config file, identify <requestFiltering> section. Under this section, configure for the reserve keywords or reserved special characters, like DELETE, CREATE, UPDATE, INSERT, --,',/* etc. in <denyStrings> section.
Configure the file extensions for which IIS server needs to be validated. The sample code is shown below:

Step 3

Now, to save the file, go to the File menu and choose Save option.

How  does the above configuration behave in the IIS server?


With the above configuration settings, first of all, IIS will look at each incoming request for pages with .html, .aspx, or .asp extensions, to search for specific strings in the request's Query String. If the IIS server finds the specified strings, then IIS will block the request and return a 404: Not Found page to the client.
 
If you want to add a new file extension or change the existing file extensions in applicationhost.config file, you can add/remove the required file extensions in file Extension tags which lies in the <appliesTo> section. Whatever strings you are placing in the <denyStrings> section, the IIS looks for those strings. If it finds those, then it will block the request and return 404 error page to the client. You can add a new string, remove the existing string,  or change the existing string, in the <denyStrings> section.

In fact, in IIS server, you may have hosted many web applications which are running in parallel.
 
Let's say, for one of the web applications, you don't want to deny any string for the incoming request. How will you handle such  a scenario?
 
It is very simple. Create a rule in your application's config file, for which, you want to allow all such strings. If you create a rule in the application's config file, it will override the applicationhost.config file's rule. For instance, if you want to allow the string "end" for only a few applications,  and for the rest of the applications, you want to deny such a string, then follow the below steps:

Step 1: Remove the <add string="end" /> entry from applicationhost.config file.

Step 2: Add the below code into the application's config file where you want to restrict the string "end":

Make a note --  the name for the filteringRule tag must and should be unique and it should not conflict with a name which is in the applicationhost.config file or/and the same name with any other web.config files in the path. And, it is also possible to limit the scope of filtering rules using location tags.

Procedure to check logs for SQL Injection attempts

You can check the SQL injection attempt logs in IIS W3SVC logs section. filteringRule rejects such SQL injection attempts and responds with a 404 status and with a substatus 19. You have to check these logs periodically to make sure that your rule is blocking such SQL Injections for the legitimate requests.

After the configuration changes made in the applicationhost file, if you give the followingURL request in your browser, the following output will show:

http://localhost/OWASP.UI/UnvalidatedRedirectsForwards/ValidatedRedirectsForwards.aspx?returnUrl=http://www.flipkart.com/--

Output

HostForLIFE.eu IIS 10 Hosting
HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes.

 

 



About HostForLIFE.eu

HostForLIFE.eu is European Windows Hosting Provider which focuses on Windows Platform only. We deliver on-demand hosting solutions including Shared hosting, Reseller Hosting, Cloud Hosting, Dedicated Servers, and IT as a Service for companies of all sizes.

We have offered the latest Windows 2012 Hosting, ASP.NET 4.5 Hosting, ASP.NET MVC 5 Hosting, and SQL 2014 Hosting.

Tag cloud

Sign in