Deny Query String Sequences <denyQueryStringSequences>

Article
08/23/2022

Overview

The <denyQueryStringSequences> element contains a collection of <add> elements that specify sequences of query string characters that IIS will deny, which helps prevent attacks on the Web server that use the query string to deliver the attack payload.

Note

You can override the query string sequences in this collection by adding query string sequences to the <alwaysAllowedQueryStrings> collection.

Note

When request filtering blocks an HTTP request because of a denied query string sequence, IIS 7 will return an HTTP 404 error to the client and log the following HTTP status with a unique substatus that identifies the reason that the request was denied:

HTTP Substatus	Description
`404.18`	Query String Sequence Denied

This substatus allows Web administrators to analyze their IIS logs and identify potential threats.

Compatibility

Version	Notes
IIS 10.0	The `<denyQueryStringSequences>` element was not modified in IIS 10.0.
IIS 8.5	The `<denyQueryStringSequences>` element was not modified in IIS 8.5.
IIS 8.0	The `<denyQueryStringSequences>` element was not modified in IIS 8.0.
IIS 7.5	The `<denyQueryStringSequences>` element of the `<requestFiltering>` element ships as a feature of IIS 7.5.
IIS 7.0	The `<denyQueryStringSequences>` element of the `<requestFiltering>` element was introduced as an update for IIS 7.0 that is available through Microsoft Knowledge Base Article 957508 (`https://support.microsoft.com/kb/957508`).
IIS 6.0	The `<denyQueryStringSequences>` element is roughly analogous to the [DenyQueryStringSequences] section that was added to URLScan 3.0.

Setup

The default installation of IIS 7 and later includes the Request Filtering role service or feature. If the Request Filtering role service or feature is uninstalled, you can reinstall it using the following steps.

Windows Server 2012 or Windows Server 2012 R2

On the taskbar, click Server Manager.
In Server Manager, click the Manage menu, and then click Add Roles and Features.
In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Request Filtering. Click Next.
.
On the Select features page, click Next.
On the Confirm installation selections page, click Install.
On the Results page, click Close.

Windows 8 or Windows 8.1

On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
Expand Internet Information Services, expand World Wide Web Services, expand Security, and then select Request Filtering.
Click OK.
Click Close.

Windows Server 2008 or Windows Server 2008 R2

On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next.
On the Confirm Installation Selections page, click Install.
On the Results page, click Close.

Windows Vista or Windows 7

On the taskbar, click Start, and then click Control Panel.
In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
Expand Internet Information Services, then World Wide Web Services, and then Security.
Select Request Filtering, and then click OK.

How To

How to deny a query string sequence

Open Internet Information Services (IIS) Manager:
- If you are using Windows Server 2012 or Windows Server 2012 R2:
  - On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows 8 or Windows 8.1:
  - Hold down the Windows key, press the letter X, and then click Control Panel.
  - Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
- If you are using Windows Server 2008 or Windows Server 2008 R2:
  - On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- If you are using Windows Vista or Windows 7:
  - On the taskbar, click Start, and then click Control Panel.
  - Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
In the Connections pane, go to the connection, site, application, or directory for which you want to modify your request filtering settings.
In the Home pane, double-click Request Filtering.
In the Request Filtering pane, click the Query Strings tab, and then click Deny Query String... in the Actions pane.
In the Deny Query String dialog box, enter the query string sequence that you wish to block, and then click OK.

Configuration

The <denyQueryStringSequences> element of the <requestFiltering> element is configured at the site, application, or directory level.

Attributes

None.

Child Elements

Element	Description
`add`	Optional element. Adds a query string to the collection of denied query strings.
`clear`	Optional element. Removes all references to query strings from the collection.
`remove`	Optional element. Removes a query string from the collection of denied query strings.

Configuration Sample

The following sample illustrates a combination of a <denyQueryStringSequences> element and an <alwaysAllowedQueryStrings> element that will deny any query strings if they contain either of two specific character sequences, but will always allow a specific query string that contains both of those two specific character sequences in a particular order.

<system.webServer>
   <security>
      <requestFiltering>
         <denyQueryStringSequences>
            <add sequence="bad" />
            <add sequence="sequence" />
         </denyQueryStringSequences>
         <alwaysAllowedQueryStrings>
            <add queryString="bad=sequence" />
         </alwaysAllowedQueryStrings>
      </requestFiltering>
   </security>
</system.webServer>

Sample Code

The following examples demonstrate how to add a query string sequence that will be denied on the Default Web Site.

AppCmd.exe

appcmd.exe set config "Default Web Site" -section:system.webServer/security/requestFiltering /+"denyQueryStringSequences.[sequence='bad_querystring_sequence']"

PowerShell

$denyQueryStringSequences = Get-IISConfigSection -CommitPath 'Default Web Site' -SectionPath 'system.webServer/security/requestFiltering' | Get-IISConfigCollection -CollectionName 'denyQueryStringSequences'
New-IISConfigCollectionElement -ConfigCollection $denyQueryStringSequences -ConfigAttribute @{ 'sequence' = 'bad_querystring_sequence' }

C#

using System;
using System.Text;
using Microsoft.Web.Administration;

internal static class Sample
{
   private static void Main()
   {
      using (ServerManager serverManager = new ServerManager())
      {
         Configuration config = serverManager.GetWebConfiguration("Default Web Site");
         ConfigurationSection requestFilteringSection = config.GetSection("system.webServer/security/requestFiltering");

         ConfigurationElementCollection denyQueryStringSequencesCollection = requestFilteringSection.GetCollection("denyQueryStringSequences");
         ConfigurationElement addElement = denyQueryStringSequencesCollection.CreateElement("add");
         addElement["sequence"] = @"bad_querystring_sequence";
         denyQueryStringSequencesCollection.Add(addElement);

         serverManager.CommitChanges();
      }
   }
}

VB.NET

Imports System
Imports System.Text
Imports Microsoft.Web.Administration

Module Sample
   Sub Main()
      Dim serverManager As ServerManager = New ServerManager
      Dim config As Configuration = serverManager.GetWebConfiguration("Default Web Site")
      Dim requestFilteringSection As ConfigurationSection = config.GetSection("system.webServer/security/requestFiltering")

      Dim denyQueryStringSequencesCollection As ConfigurationElementCollection = requestFilteringSection.GetCollection("denyQueryStringSequences")
      Dim addElement As ConfigurationElement = denyQueryStringSequencesCollection.CreateElement("add")
      addElement("sequence") = "bad_querystring_sequence"
      denyQueryStringSequencesCollection.Add(addElement)

      serverManager.CommitChanges()
   End Sub
End Module

JavaScript

var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site";
var requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site");

var denyQueryStringSequencesCollection = requestFilteringSection.ChildElements.Item("denyQueryStringSequences").Collection;
var addElement = denyQueryStringSequencesCollection.CreateNewElement("add");
addElement.Properties.Item("sequence").Value = "bad_querystring_sequence";
denyQueryStringSequencesCollection.AddElement(addElement);

adminManager.CommitChanges();

VBScript

Set adminManager = createObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST/Default Web Site"
Set requestFilteringSection = adminManager.GetAdminSection("system.webServer/security/requestFiltering", "MACHINE/WEBROOT/APPHOST/Default Web Site")

Set denyQueryStringSequencesCollection = requestFilteringSection.ChildElements.Item("denyQueryStringSequences").Collection
Set addElement = denyQueryStringSequencesCollection.CreateNewElement("add")
addElement.Properties.Item("sequence").Value = "bad_querystring_sequence"
denyQueryStringSequencesCollection.AddElement(addElement)

adminManager.CommitChanges()

Share via