Block requests by regular expression (or any other way)RSS

6 replies

Last post Nov 18, 2019 01:33 PM by shoats

  • Block requests by regular expression (or any other way)

    Jul 17, 2019 01:51 PM|JamieP1|LINK

    I added the URL blocking rewrite rule which stopped majority of PHP requests from coming through but some still seem to get through, despite the regex used is set to block php. Heres one and wondered how can i block this?

    /plus/mytag_js.php?dopost=saveedit&arrs1[]=99&arrs1[]=102......&arrs2[]=0

    I've truncated the above URL so its easier to read but its a long list containing arrs[]

  • Re: Block requests by regular expression (or any other way)

    Jul 18, 2019 06:21 AM|Able|LINK

    Hi jamieP1,

    According to your description, do you just want to block php request or you want to block url with its querystring?I'm not sure that whether you want block rules depends on content of arrs[] part in querystring or not.   

    The rule in below will block url which has /plus/mytag_js.php in domain and querstring start with dopost=saveedit ,I hope it could help you.

     <rule name="RequestBlockingRule1" stopProcessing="true">
                        <match url=".*" />
                        <conditions>
                            <add input="{URL}" pattern="plus/mytag_js.php/?$" />
                            <add input="{QUERY_STRING}" pattern="^dopost=saveedit" />
                        </conditions>
                        <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
                    </rule>

    Best Regards

    Able

    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Block requests by regular expression (or any other way)

    Jul 18, 2019 08:47 AM|JamieP1|LINK

    Thanks. If possible i would like both approaches. Im applying this to the main IIS area so its applied to all sites so no matter what domain it is i would like these to be blocked.

    Sometimes they change the original URL which if we base it on

    /plus/mytag_js.php?dopost=saveedit&arrs1[]=99&arrs1[]=102......&arrs2[]=0

    to

    /plus/download.php?arrs1[]=99&arrs1[]=102......&arrs2[]=0

    in which case the above rule doesnt work. Sometimes the domain is listed twice in the query i.e.

    http://www.mysite.com/error/?403;http://www.mysite.com:80/plus/download.php?open=1&arrs1[]

    but on all queries they have arrs*[]= - where * is some number.

    Another point i noticed is if i copy the exact Request Url and then execute it in my browser i get the denied response and not listed on the server however when "they" do it, it is listed on the server so i dont know if this is a temp cache issue or they have another way of attacking the server?

    Hope this makes sense?

  • Re: Block requests by regular expression (or any other way)

    Jul 19, 2019 03:19 AM|Able|LINK

    Hi JamiP1,

    JamieP1

    Another point i noticed is if i copy the exact Request Url and then execute it in my browser i get the denied response and not listed on the server however when "they" do it

    The response is given by server,we have define the type of response like 403 when someone is visiting this url ,server will give response of 403 forbidden.So if you only want to disable only two url with different domains,you could just create two block rules.

    Best Regards

    Able 

    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Block requests by regular expression (or any other way)

    Jul 19, 2019 01:53 PM|JamieP1|LINK

    Hi and thanks!

    I added this rule to the IIS server (which means it applies to all sites and didnt need the querystring as it may change)

    <rule name="RequestBlockingRule1" stopProcessing="true">
                        <match url=".*" />
                        <conditions>
                            <add input="{URL}" pattern="plus/mytag_js.php/?$" />
                        </conditions>
                        <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
                    </rule>

    but i still see some getting through. The latest one is

    http://www.site.com/plus/mytag_js.php?dopost=saveedit&arrs1[]=99&arrs1[]=102arrs2[]=0

    Could it be the sites configuration (web.config) is taking over somewhere?

  • Re: Block requests by regular expression (or any other way)

    Jul 23, 2019 03:29 PM|JamieP1|LINK

    Anyone got any thoughts/ideas to try?

  • Re: Block requests by regular expression (or any other way)

    Nov 18, 2019 01:33 PM|shoats|LINK

    So far, this has worked for me: https://webmasters.stackexchange.com/a/90952/305

        <security>
          <requestFiltering>
    		<fileExtensions>
    			<add fileExtension=".php" allowed="false" />
    		</fileExtensions>
           </requestFiltering>
        </security>

    But I don't have any PHP on my site so I can block any PHP request.