Test code

Many snippets around just send simple headers to target server and try to determine the vulnerability. If the request is served by .net engine as a script, the respond may not contain vulnerability information. To be sure, the test request must be sent to a static file. Otherwise many servers which are vulnerable may be considered indeterminate.

See our code in Gist.

Disclaimer

Although our test request doesn't seem to harm any target server. We are not responsible for future unexpected behaviour.