Request filtering does not work properly in IIS 10

Anoosh Saghiri 1 Reputation point
2023-01-08T13:13:27.67+00:00

To prevent path traversal attack, I add some settings in in request filtering (in Rule and URL tabs) but they does not work properly.
For example I add ".." in "Deny String" and in "Deny Sequence" but IIS accept it (e.g. ../../css/test.txt).
Also I add "/../.*" in "Block Request Rule" in URL rewrite, but it does not work too.

Is there anything wrong in my settings?

Internet Information Services
{count} votes

1 answer

Sort by: Most helpful
  1. Lex Li (Microsoft) 3,201 Reputation points
    2023-01-09T07:09:42.13+00:00

    While you claimed "reproducing this problem", please open the IIS log files (or FRT) for this site and show us what are the URLs recorded. Since parent path traversing has been known as a bad thing for decades, you will be surprised to see that everywhere along the HTTP request processing path has certain ways to remove such harmful dots, so IIS might not even receive the dots to trigger any action you configured.