iis – Error (403): Forbidden

As a background, I'm mainly an embedded developer and was hired to make a simple change to one of our company's web applications. The application is an ASP.NET application (originally developed with Visual Studio 2010) running on Windows Server 2012. I am trying to modify / debug the code on my local Windows 10 computer with Visual Studio 2017.

When I try to run the application locally on Visual Studio 2017, Visual Studio displays a message that debugging on the Web server can not be started. The remote server returned an error: (403) Forbidden. "

I have tried several things, such as For example, grant IIS_USR and Network Service permissions to my path. The following is logged in C: inetpub logs LogFiles W3SVC1:

2019-10-15 15:07:14 :: 1 DEBUG /ECNAD/DebugAttach.aspx – 80 – :: 1 – – 403 0 0 1249
2019-10-15 15:15:46 :: 1 DEBUG /ECNAD/DebugAttach.aspx – 80 – :: 1 – – 403 0 0 39

I would be very happy to receive any help to run this web application locally.

Thank you in advance.

Sampling of a uniform distribution of fixed-size strings containing no forbidden substrings

Suppose the alphabet is $ {a, b } $and you have a forbidden word $ aa $, Suppose we try to generate a word of length 3. The first two letters are evenly distributed $ ab, ba, bb $, Therefore, the first letter has the following distribution: $ a $ with probability $ 1/3 $. $ b $ with probability $ 2/3 $, In contrast, the allowed words
aba, abb, bab, bba, bbb.

So the first letter should have the distribution $ a $ with probability $ 2/5 $. $ b $ with probability $ 3/5 $,

Here is an algorithm that works. Create a DFA (or UFA) for your language. For every state $ q $With dynamic programming, you can count how many words are long $ m $ are accepted when the machine is restarted $ q $, Let us denote this $ c (q, m) $,

The correct distribution of the first letter $ sigma_1 $ from a word of length $ n $ is in the language
Pr ( sigma_1 = sigma) = frac {c ( delta (q_0, sigma), n-1)} {c (q_0, n)}.

Quite generally in the face of the first $ ell $ letters $ sigma_1 ldots sigma_ ell $The following letter has the distribution
Pr ( sigma_ { ell + 1} = sigma mid sigma_1 ldots sigma_ ell) = frac {c ( delta (q_0, sigma_1 ldots sigma_ ell sigma), n – ell-1)} {c ( delta (q_0, sigma_1 ldots sigma_ ell), n- ell)}.

If you ignore the cost of arithmetic, you can roughly implement this scheme $ O (| Q | n) $, Where $ Q $ is the set of states or in $ O (| Sigma | n ^ 2) $, (The former assuming that $ | Q | = Omega (| Sigma |) $.)

As an example, consider the above counter example. We construct a two-state DFA (we can omit the sink state to get a UFA) $ q_0, q_1 $, The transition function is $ Delta (q_0, a) = q_1 $. $ Delta (q_0, b) = q_0 $. $ Delta (q_1, b) = q_0 $, The relevant values ​​of $ c $ are
begin {array} {c | cc}
n & c (q_0, n) & c (q_1, n) \ hline
0 & 1 & 1 \
1 & 2 & 1 \
2 & 3 & 2 \
3 & 5 & 3
end {array}

These are calculated by the repetitions $ c (q_0, n) = c (q_0, n-1) + c (q_1, n-1) $ and $ c (q_1, n) = c (q_0, n-1) $with basic housing $ c (q, 0) = 1 $,

Since $ Delta (q_0, a) = q_1 $ and $ Delta (q_0, b) = q_0 $we see that (eg $ n = 3 $) $ Pr ( sigma_1 = a) = c (q_1,2) / c (q_0,3) = 2/5 $ and $ Pr ( sigma_1 = b) = c (q_0,2) / c (q_0,3) = 3/5 $,

The results of the web application pen test include a file from a forbidden directory that is not even used or referenced

Brute force Scanner

Many automatic scanners bypass locked directory listings by looking for "bruteforce" files. This means that they are looking for additional files whose names are similar to those of the existing files (ie. filename.js1 and files that are not referenced at all (aka secret.txt). If you happen to have a file whose name is on the bruteforced list and which is in an accessible directory, it will be found, regardless of whether the "directory listing" is enabled or not

It's worth noting that hackers do the same, so this is a real problem. If something is in a publicly accessible directory, you should generally think that it is found. So if you do not want it to be public, you need to keep it away from public directories – disabling the directory list offers very little security.

Real weaknesses

In the end, this does not seem to be a big problem (and probably is not), but leaving backups of javascript files in public directories is generally a bad idea. When it comes to XSS, an attacker generally has the most success if he can exploit a javascript file hosted on the same domain. This is because this provides the opportunity to bypass a CSP or other "security firewalls". If an older Javascript file contains a vulnerability that was fixed in a later release, and an attacker has found a way to force the user's browser to load the older Javascript file, it may be linked to a more malicious vulnerability. This may seem far-fetched, but how many of the worst security holes happen when many small vulnerabilities are grouped together into one larger one?

tl / dr: If something is hosted by your website but has none
Reason to be there, then it is a liability. Kill it with prejudice.

xampp – How do I solve 403 Forbidden Error in Apache?

I work server side and had a problem. I use XAMPP and Apache server in my server. First I buy a static IP and open the port for everyone.

I can succeed if: "http: // {StaticIP} / api / NewsJson", But if I try "https: // {StaticIP} / api / NewsJson"I take 403 errors in the browser. I search and find a few solutions.

First, I change the line "xampp apache conf extra httpd-xampp" Folder. I change the locally granted change requires all granted.

ScriptAlias /php-cgi/ "C:/xampp/php/"

    AllowOverride None
    Options None
    Require all granted
          Require all granted

        SetHandler cgi-script
        SetHandler None

        Require all granted
            php_admin_flag safe_mode off
    AllowOverride AuthConfig

    Alias /licenses "C:/xampp/licenses/"
        Options +Indexes
            DirectoryIndexTextColor  "#000000"
            DirectoryIndexBGColor "#f8e8a0"
            DirectoryIndexLinkColor "#bb3902"
            DirectoryIndexVLinkColor "#bb3902"
            DirectoryIndexALinkColor "#bb3902"
    Require all granted
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var

    Alias /phpmyadmin "C:/xampp/phpMyAdmin/"
        AllowOverride AuthConfig
    Require all granted
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var

    Alias /webalizer "C:/xampp/webalizer/"
                php_admin_flag safe_mode off
        AllowOverride AuthConfig
    Require all granted
        ErrorDocument 403 /error/XAMPP_FORBIDDEN.html.var

Then I add this line "xampp apache conf extra httpd-vhosts" Folder.

    DocumentRoot "C:/xampp/htdocs/api/NewsJson"
    ServerName 192.168.*.** (My Server IP)
        Options Indexes FollowSymLinks Includes ExecCGI
        AllowOverride All
        Order allow,deny
        Allow from all
        Require all granted

And I change mine ".Htaccess" Folder.

RewriteEngine On
RewriteRule NewsJson.html$ NewsJson.php (L)

If I change it, I have Apache closed and reopened. But I still take 403 banned errors. What can I solve this problem?

kubernetes – Forbidden to empty users "" cubic

That's the command

kubectl --namespace=somenamespace   exec -it test sh
Error from server (Forbidden): pods "test" is forbidden: User "" cannot create resource 

There's my kube config

      apiVersion: client.authentication.k8s.io/v1alpha1
      - name: AWS_PROFILE
        value: "test" # refers to aws profile test located in ~/.aws/config,
      command: aws-iam-authenticator
      - "token"
      - "-i"
      - "qa"

aws config is

(profile test)
role_arn = arn:aws:iam::66776776:role/AssumeRoleReadOnly
source_profile = sso
region = us-east-1

I do not understand why the user is empty "" and I have received a forbidden error

linux – Replaces Python for function checking for forbidden characters

I have "blackbox" with the following python function code (without permission to change it):

def exec_ping():
    forbidden = ('&', ';', '-', '`', '||', '|')
    command = input('Enter an IP: ')
    for i in forbidden:
        if i in command:
            print('Invalid characters')
    os.system('ping ' + command)

I would like to execute this function with the following command input:

-c 1 localhost; whoami;

For this command to execute:

ping -c 1 localhost; whoami;

How can I bypass the check for forbidden characters? Can I use other characters / encodings?

sharepoint online – App step Forbidden error message – Update the SP Designer 2013 permission group

When I try to run a Designer 2013 workflow with an app step, my log displays the following results:

25.07.2013 16:20 clock
HRO ID: i: 0 # .f | Membership | bob@bob.gov
25.07.2013 16:20 clock
{"__metadata": {"type": "SP.User"}, "LoginName": "i: 0 # .f | membership | bob@bob.gov"}
25.07.2013 16:20 clock
*** Add User Response Code: Forbidden

I've configured my site to allow app steps. I can create them in my designer workflows and publish them successfully. I know that the URL I am passing the REST call to is correct. When I paste the URL directly into my browser, a successful result is displayed that lists the actual members of the permission group that I want to update.

What should I look for in configurations to fix this?

sharepoint online – Apply-PnPProvisioningTemplate (403) Forbidden, there is no web named "/SiteURLName/_vti_bin/sites.asmx"

Stack Exchange network

The Stack Exchange network consists of 176 Q & A communities, including Stack Overflow, the largest and most trusted online community where developers can learn, share, and build a career.

Visit Stack Exchange

Forbidden (403) CSRF validation failed. Request canceled.


I have fiber and run a home server that points to my URL zyngalu.com

I'm learning PHP and have my first input form on my page. I use both Chrome and Firefox to check my website.

On average, Chrome emits this error every fifth time I use the form. (see below)
I'm not sure if Chrome does this or Apache. Either way, I want to eliminate it.

My website does not use cookies …

Any help gratefully received.