The Request Smuggling filter must be enabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268325 | IIST-SV-000220 | SV-268325r1025163_rule | Medium |
| Description |
| Security scans show Request Smuggling vulnerability on IIS server. The vulnerability allows a remote attacker to perform HTTP request smuggling attack. The vulnerability exists due to the way that HTTP proxies (front-end) and web servers (back-end) that do not strictly adhere to RFC standards handle sequences of HTTP requests received from multiple sources. A remote attacker can send a specially crafted request to a targeted IIS Server, perform HTTP request smuggling attack and modify responses or retrieve information from another user's HTTP session. |
| STIG | Date |
| Microsoft IIS 10.0 Server Security Technical Implementation Guide | 2025-06-11 |
Details
| Check Text (C-72355r1025161_chk) |
| Open Registry Editor. Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters" Verify "DisableRequestSmuggling” is set to "1". If REG_DWORD DisableRequestSmuggling is not set to 1, this is a finding. |
| Fix Text (F-72256r1025162_fix) |
| Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters". Create REG_DWORD "DisableRequestSmuggling” and set it to "1". Note: This can be performed multiple ways; this is an example. |