This is highlighted in ivanr 's talk from a while ago -- but I don't think we'll see this pattern very frequently in requests and as a result we can attempt to block these.
Examples for regressions:
GET /ADMIN~1.ASP
GET /admin~2.ASP
GET /bob~1.html
There MAY be some false positives here because these are in fact legit files and my understanding from the microsoft link below is that files with the same name will be appended the ~\d extension.
Issue originally created by user csanders-git on date 2016-08-09 12:56:30. Link to original issue: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/494.
This is highlighted in ivanr 's talk from a while ago -- but I don't think we'll see this pattern very frequently in requests and as a result we can attempt to block these.
Examples for regressions:
There MAY be some false positives here because these are in fact legit files and my understanding from the microsoft link below is that files with the same name will be appended the ~\d extension.
https://blog.qualys.com/wp-content/uploads/2012/08/Protocol-Level%20Evasion%20of%20Web%20Application%20Firewalls%20(Ivan%20Ristic,%20Qualys,%20Black%20Hat%20USA%202012)%20SLIDES.pdf
More Information https://support.microsoft.com/en-us/kb/142982
There may also be some interest in blocking uploads with these extensions -- not quite sure this is necessary
An example regex