While you claimed "reproducing this problem", please open the IIS log files (or FRT) for this site and show us what are the URLs recorded. Since parent path traversing has been known as a bad thing for decades, you will be surprised to see that everywhere along the HTTP request processing path has certain ways to remove such harmful dots, so IIS might not even receive the dots to trigger any action you configured.
Request filtering does not work properly in IIS 10
Anoosh Saghiri
21
Reputation points
To prevent path traversal attack, I add some settings in in request filtering (in Rule and URL tabs) but they does not work properly.
For example I add ".." in "Deny String" and in "Deny Sequence" but IIS accept it (e.g. ../../css/test.txt).
Also I add "/../.*" in "Block Request Rule" in URL rewrite, but it does not work too.
Is there anything wrong in my settings?
Accepted answer
-
Lex Li (Microsoft) 5,847 Reputation points Microsoft Employee
2023-01-09T07:09:42.13+00:00