Hi @炜 张
I am responsible for SSRS related issues. In fact I am not very familiar with IIS. From what I've searched, blocking requests containing the "~" character might be a workaround for virtual websites if you can't fix the IIS root settings.
For more details, you can check this link: https://adrianjnkns.medium.com/iis-shortname-vulnerability-67f933849943.
Hope this helps you.
If the answer is helpful, please click "Accept Answer" and upvote it. If you have any questions, please feel free to let me know.
Best regards,
Aniya