The Request Smuggling filter must be enabled.

STIG ID: IIST-SV-000220  |  SRG: SRG-APP-000141-WSR-000015 |  Severity: medium |  CCI: CCI-000381 |  Vulnerability Id: V-268325 | 

Vulnerability Discussion

Security scans show Request Smuggling vulnerability on IIS server.

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to the way that HTTP proxies (front-end) and web servers (back-end) that do not strictly adhere to RFC standards handle sequences of HTTP requests received from multiple sources. A remote attacker can send a specially crafted request to a targeted IIS Server, perform HTTP request smuggling attack and modify responses or retrieve information from another user's HTTP session.

Check

Open Registry Editor.
Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters"
Verify "DisableRequestSmuggling” is set to "1".

If REG_DWORD DisableRequestSmuggling is not set to 1, this is a finding.

Fix

Navigate to "HKLM\System\CurrentControlSet\Services\HTTP\Parameters".
Create REG_DWORD "DisableRequestSmuggling” and set it to "1".

Note: This can be performed multiple ways; this is an example.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.