AbortRequest Url Rewrite Rule not working [Answered]RSS

2 replies

Last post Apr 26, 2019 06:01 AM by Jalpa Panchal

  • AbortRequest Url Rewrite Rule not working

    Apr 25, 2019 02:22 PM|mxmissile|LINK

    Trying to get a simple request blocking rule to work, it just continues on processing as normal, instead of aborting the request.

    <rewrite>
    <rules>
      <rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
        <match url="*" />
        <conditions>
            <add input="{REQUEST_URI}" pattern="*umid=*" />
        </conditions>
        <action type="AbortRequest" />
      </rule>
    </rules>
    </rewrite>

    Given this request: 

    www.something.com/app/entity/needs-signature&umid=5c8a0e6d-8475-ff05-9dbb-436a235682c4&auth=blahblah

    Notice the querystring does not start with a ?. Could that be why? 

    http://www.heliosfx.com
  • Re: AbortRequest Url Rewrite Rule not working

    Apr 25, 2019 07:55 PM|lextm|LINK

    Lex Li
    IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: AbortRequest Url Rewrite Rule not working

    Apr 26, 2019 06:01 AM|Jalpa Panchal|LINK

    Hi mxmissile,

    If you try to abort request for this url

    mxmissile

    www.something.com/app/entity/needs-signature&umid=5c8a0e6d-8475-ff05-9dbb-436a235682c4&auth=blahblah
    firstly yo get below error:

    Your request blocking rule is also not working for that. You could follow below rule for block request:

    <rule name="RequestBlockingRule4" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <conditions>
    <add input="{URL}" pattern="*umid=*" />
    </conditions>
    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
    </rule>



    And also need to add below code under <system.web>section in web.config file:

    <system.web>
        <httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
        <pages validateRequest="false" />
    </system.web>

    If you want to block request for query string value you could use below rule:

    <rule name="RequestBlockingRule3" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <conditions>
    <add input="{QUERY_STRING}" pattern="*umid=*" />
    </conditions>
    <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
    </rule>



    For more detail about request blocking rule, you could follow the below article:

    Regards,

    Jalpa

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.