Hello,
I came across a problem which seems to me a security breach in IIS7.5 (with rewrite module).
According to my investigation: if you have an IIS7.5 with RewriteModule installed and a default CanonicalHostNameRule configured, you can take down the website (310 too many redirects) by doing 5 or 6 consecutive GETs as follows:
GET / HTTP/1.0
User-Agent: Whatever
Host: www.yoursite.com:80
Please note that in order to reproduce it is vital to specify port number and the 1.0 HTTP protocol.
I wrote a little more about it here: http://vdash.wordpress.com/2013/06/06/iis7-5-310-too-many-redirects/
I used Fiddler to reproduce the GET requests.
I would like to ask anyone with a IIS7.5 at hand to try this to figure whether we are really dealing with a security hole.
All our IIS servers had the same problem.
In Fiddler disable the "follow redirects" and If you get straight 200s OK instead of 301s, try waiting few minutes as sometimes you browser caches the redirections.
FYI: I fixed the issue by simply bypassing the rule if the protocol is 1.0 (ugly but effective as I couldn't think of a better solution).
Thanks,
Roberto.