Misconfigured IIS Request Filtering
TLDR: Misconfigured IIS Request Filtering, highlighted under “Security Misconfiguration” in the OWASP Top Ten, exposes web servers to injection attacks, denial-of-service (DoS) scenarios, and information leakage. Issues such as overly permissive rules, lack of URL validation, and improper size limits allow attackers to exploit vulnerabilities. Proper configuration of IIS Request Filtering, introduced with IIS 7.0 in 2008, is essential for securing web applications.
https://en.wikipedia.org/wiki/Internet_Information_Services
A common issue with misconfigured IIS Request Filtering is failing to restrict potentially harmful file extensions. For instance, allowing execution of `.exe`, `.cmd`, or `.bat` files through the server opens pathways for remote code execution. OWASP recommends explicitly denying access to dangerous file types by configuring the `DenyUrlSequences` and `DenyQueryStrings` settings.
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/
Another vulnerability arises from not setting maximum request size limits. Attackers can exploit this by sending excessively large payloads, causing denial-of-service attacks. OWASP advises setting a reasonable `MaxAllowedContentLength` in the IIS Request Filtering settings to mitigate resource exhaustion.
https://owasp.org/www-project-top-ten/
Improper URL validation is another oversight. Allowing overly permissive or poorly defined URL patterns can expose the server to path traversal attacks. OWASP recommends using regular expressions or strict rules to validate and filter incoming URLs.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Input_Validation_Cheat_Sheet.html
Neglecting to block sequences of characters commonly used in attacks, such as `../` or `<script>`, is another misconfiguration. Attackers can use these to perform directory traversal or XSS attacks. OWASP suggests defining and enforcing `DenyUrlSequences` to block such patterns at the server level.
https://owasp.org/www-project-cheat-sheets/cheatsheets/XSS_Prevention_Cheat_Sheet.html
Exposing sensitive HTTP methods, such as `PUT`, `DELETE`, or `TRACE`, is another common misconfiguration. These methods can be exploited for unauthorized resource modification or cross-site tracing attacks. OWASP advises restricting HTTP methods to only those required for the application.
https://owasp.org/www-project-top-ten/
Improper handling of query strings in requests is another vulnerability. For example, allowing excessively long or malformed query strings can lead to injection attacks or resource overconsumption. OWASP recommends configuring the `MaxQueryString` and `MaxUrl` settings to prevent abuse.
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/
Another critical flaw is neglecting to monitor and log filtered requests. Without visibility into blocked attempts, identifying patterns of abuse or active threats becomes difficult. OWASP advises enabling detailed logging of filtered requests and integrating logs with SIEM systems for analysis.
https://owasp.org/www-project-cheat-sheets/cheatsheets/Logging_Cheat_Sheet.html
Failing to update IIS Request Filtering rules to address evolving threats is another oversight. Attackers often adapt their techniques to bypass outdated filters. OWASP recommends regularly reviewing and updating filtering rules to ensure they remain effective against modern attack vectors.
https://owasp.org/www-project-top-ten/
To mitigate these risks, administrators should configure IIS Request Filtering with strict rules for URL validation, file types, and HTTP methods. Regular audits, adherence to OWASP Top Ten guidelines, and testing with tools like OWASP ZAP ensure secure and effective request filtering configurations.