Request Filtering for ASP.NET Core applications:
Part 4 - Extending the Request Filtering Rules
Request Filtering for ASP.NET Core applications: Part 3 - Integrating with ASP.NET Pipeline
September, 2016 Request Filtering for ASP.NET Core applications: Part 2 - Building Abstractions & Implementations APIs
Request Filtering in ASP.NET Core: Part 1 - Overview What is Request Filtering?
Request Filtering is the process of scanning the incoming HTTP requests on the server side and applying some sort of rules that you set up to filter those requests before they served to the clients. The Request Filtering is very helpful to prevent harmful requests from reaching the server.
For the Internet Information Services (IIS) administrators the Request Filtering is a built-in security feature that was introduced in IIS 7.0, and replaces much of the functionality that was available through the UrlScan add-on for IIS 6.0.
Use Request Filtering UrlScan is a security tool was provided as an add-on to earlier versions of IIS, so administrators could enforce tighter security policies on their Web servers.
Within IIS 7 and above, all the core features of UrlScan have been incorporated into a module called Request Filtering, and a Hidden Segments feature has been added. Filter based on File Extensions
This feature defines a set of allowed file extensions that IIS serves. <configuration> <system.webServer> <security> <requestFiltering> <fileExtensions allowUnlisted="true" > <add fileExtension=".psd" allowed="false"/> </fileExtensions> </requestFiltering> </security> </system.webServer> </configuration> Filter by Verbs This feature defines a list of verbs that IIS accept as part of a request. <configuration> <system.webServer> <security> <requestFiltering> <verbs allowUnlisted="false" > <add verb="GET" allowed="true" /> </verbs> </requestFiltering> </security> </system.webServer> </configuration> Filter Based on URL Sequences This feature defines a list of sequences that IIS reject when it is part of a request. <configuration> <system.webServer> <security> <requestFiltering> <denyUrlSequences> <add sequence=".."/> </denyUrlSequences> </requestFiltering> </security> </system.webServer> </configuration> Filter Based on Query Strings This feature defines a list of query strings that IIS accept as part of a request. <configuration> <system.webServer> <security> <requestFiltering> <denyQueryStringSequences> <add sequence="bad" /> <add sequence="sequence" /> </denyQueryStringSequences> <alwaysAllowedQueryStrings> <add queryString="bad=sequence" /> </alwaysAllowedQueryStrings> </requestFiltering> </security> </system.webServer> </configuration> Filter Out Hidden Segments This feature allows you to reject requests that contain a URL segment. <configuration> <system.webServer> <security> <requestFiltering> <hiddenSegments> <add segment="BIN"/> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> Filter based on Request Limits This filter allows you to define the size for a list of HTTP request headers, so the IIS reject when it exceeds the limit. <configuration> <system.webServer> <security> <requestFiltering> <requestLimits maxAllowedContentLength="30000000" maxUrl="260" maxQueryString="25" /> </requestFiltering> </security> </system.webServer> </configuration>
Hint: Those filter rules may change depends on the IIS version. Request Filter Logging When request filtering blocks an HTTP request, IIS will return an HTTP 404 error to the client and log the HTTP status with a unique substatus that identifies the reason that the request was denied.
The following table shows the request filter error codes that you see in the log:
HTTP Status CodeError Description
404.5 URL Sequence Denied
404.6 Verb Denied
404.7 File Extension Denied 404.8 Hidden segment 404.10 Request Header Too Long 404.11 URL Double Escaped 404.12 URL Has High Bit Chars 404.13 Content Length Too Large 404.14 URL Too Long 404.15 Query String Too Long 404.18 Query String Sequence Denied 404.19 Denied by Filtering Rule
After what we have seen before about the Request Filtering, I'm writing this series with intent to bring some - or all - of the IIS Request Filtering module functionalities to the ASP.NET Core, of course this will be very handy for the security scenarios. It 'll be nice if we have such a feature built-in in the ASP.NET Core as a pluggable middleware instead of writing a your own middleware everytime. .