Share via


How to setup UrlScan with DenyUrlSequence

I had a case where UrlScan and in particular [DenyUrlSequences] was needed to be setup.

Doing research on this didn’t give many examples on how to do this. So here is a quick guide on how to.

 

First we need a scenario.

So let’s say we want to block on URLs with multiple forward slashes (/////) since this is tested for by various security scanning tools.

And to test this, we need a web application and a client that calls this web application with the forward slashes.

 

First create a new web application (UrlScanDemo) with a simple .aspx page (Hello.aspx) with the following html:

 

<html>

Hello from URLScanDemo!

</html>

 

Then create a .Net C# Console application that will be used for testing this page with a good and a bad URL.

 

    class Program

    {

        static void Main(string[] args)

        {

            string goodURL = @"https://<your site>/URLScanDemo/Hello.aspx";

            string badURL = @"https:// <your site>/URLScanDemo/Hello.aspx/////"; // <- Multiple forward slashes.

            // Run good request

            Console.WriteLine("Running 'good' request...");

            RunRequest(goodURL);

            Console.WriteLine("\nRunning 'bad' request...");

            // Run bad request

            RunRequest(badURL);

        }

        private static void RunRequest(string inUrl)

        {

            HttpWebRequest req = (HttpWebRequest)WebRequest.Create(inUrl);

            HttpWebResponse res = (HttpWebResponse)req.GetResponse();

            if (req.HaveResponse == true)

            {

                Stream responseStream = res.GetResponseStream();

                StreamReader responseReader = new System.IO.StreamReader(responseStream, Encoding.UTF8);

                Console.WriteLine(responseReader.ReadToEnd());

            }

        }

    }

 

Run this and the output should be:

 

Running 'good' request...

<html>

Hello from URLScanDemo!

</html>

Running 'bad' request...

<html>

Hello from URLScanDemo!

</html>

 

So we can see that both URL works. And we can confirm this in the IIS logs as well.

 

<date> <time> W3SVC1 xxx.xxx.xxx.158 GET /URLScanDemo/Hello.aspx - 80 - xxx.xxx.xxx..68 - 200 0 0 15

<date> <time> W3SVC1 xxx.xxx.xxx.158 GET /URLScanDemo/Hello.aspx/ - 80 - xxx.xxx.xxx..68 - 200 0 64 0

 

What we want to do now is to reject the request where the URL contains multiple forward slashes.

First step is to download and install the UrlScan. Current version is 3.1 and is found here:

 

Microsoft Urlscan Filter v3.1 (x86)

https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5017

Microsoft Urlscan Filter v3.1 (x64)

https://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5728

Once you have installed it, you will have the following added to your machine:

 

C:\Windows\System32\inetsrv\urlscan\urlscan.dll

C:\Windows\System32\inetsrv\urlscan\urlscan.ini

 

What we want to do is to deny multiple forward slashes in the [DenyUrlSequences] section. So open the urlscan.ini file in, for example, notepad.

Locate the [DenyUrlSequences] section and add the following to it:

 

///// ; Do not allow five forward slashes

 

We then need to add the urlscan.dll to be used by IIS.

 

For IIS 6.0:

Right click and select “Properties” on the “Web Sites” folder in IIS Manager. Select the “ISAPI Filters” tab.

Select “Add”. Set a “Filter Name” (UrlScan for example) and set the “Executable” to C:\WINDOWS\system32\inetsrv\urlscan\urlscan.dll and “Apply”.

 

For IIS 7.x:

Select the server and double click the “ISAPI Filters” in the IIS section in the “Features View”.

Select “Add” in the “Actions” pane. Set a “Filter Name” (UrlScan for example) and set the “Executable” to C:\WINDOWS\system32\inetsrv\urlscan\urlscan.dll and “OK”.

 

The urlscan.ini is only read on startup. So restart IIS. And we should be good to go.
Rerun the client code. You should now get an output like so:

 

Running 'good' request...

<html>

Hello from URLScanDemo!

</html>

Running 'bad' request...

Unhandled Exception: System.Net.WebException: The remote server returned an error: (404) Not Found.

   at System.Net.HttpWebRequest.GetResponse()

   at TestHeader.Program.RunRequest(String inUrl) in ...

   at TestHeader.Program.Main(String[] args) in ...

And in the IIS logs:

 

<date> <time> W3SVC1 xxx.xxx.xxx.158 GET /URLScanDemo/Hello.aspx - 80 - xxx.xxx.xxx..68 - 200 0 0 811

<date> <time> W3SVC1 xxx.xxx.xxx.158 GET /Rejected-By-UrlScan ~/URLScanDemo/Hello.aspx///// 80 - xxx.xxx.xxx..68 - 404 0 2 0

 

So, we can see that the URL is rejected by the UrlScan.

 

Hope this helps. A bit more info on UrlScan here:

 

UrlScan 3 Reference

https://learn.iis.net/page.aspx/938/urlscan-3-reference/

Comments

  • Anonymous
    July 24, 2014
    Hi, thanks for the info.  I found the article looking for a way to use UrlScan to block multiple slashes, but like this: backup-service.aspx/products/images/products/backup-server/products/eval/eval/products/products/images/products/backup-server/products/backup-server.aspx A user agent is visiting our site thousands of times a day trying non-existent urls.  I can't use the length blocking as some of our google adwords campaigns return LONG urls. So I was trying to see if there's a way to use UrlScan to block urls with say, 10 or more / in them (but usually separated with words as above). thanks again! David