Request Filtering

Request Filtering

Request Filtering

  • The <filteringRules> config element is used to specify a collection of filtering rules
  • Site admins can create custom filtering rules for their server
  • This is useful to block leeching and minimize the risk from sql injection
  • A 404.19 Denied by filtering rule message is returned when request filtering blocks an HTTP request because of a filtering rule

Filtering Rules Attributes

  • denyUnescapedPercent - specifies whether a request should be denied when it contains percent symbols that are not escaped
  • scanAllRaw - specifies whether a scan is performed on the raw headers for the strings in the denyStrings element
  • scanQueryString - specifies whether a second scan is performed to scan the query string
  • scanUrl - specifies whether the URL is scanned for the strings in the denyStrings element

Filtering Rules Child Elements

  • <appliesTo> - specifies the list of file name extensions to which the request filtering rule applies. If this section is blank, the rule applies to all requests
  • <denyStrings> - specifies the list of strings to deny for the request filtering rule
  • <scanHeaders> - specifies the list of HTTP headers to scan

Configuration

  • Place the <filteringRules> config element in the the web.config file at the root folder of your site when setting up rules for a single site
  • Place the <filteringRules> config element in the the applicationHost.config file at C:\Windows\System32\inetsrv\config when setting up rules at the IIS level for all sites

<system.webServer>
<security>
<requestFiltering>
<filteringRules>
<filteringRule name="Block Image Leeching" scanUrl="false" scanQueryString="false" scanAllRaw="false">
<scanHeaders>
<add requestHeader="User-agent" />
</scanHeaders>
<appliesTo>
<add fileExtension=".gif" />
<add fileExtension=".jpg" />
<add fileExtension=".png" />
</appliesTo>
<denyStrings>
<add string="leech-bot" />
</denyStrings>
</filteringRule>
</filteringRules>
</requestFiltering>
</security>
</system.webServer>

Sources