I've been trying to restrict backslashes \ in URL's via the Request filtering tool in IIS 7 by using:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="\" />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
</configuration>
However, the backslash rule is being completely ignored? Request filtering is definitely working as I've tried with strings instead of a backslash e.g. contact-us
as a deny rule correctly sends you to a 404 page. But why is it ignoring the backslash? Is there something missing here?
Thankyou for your help
Best Answer
I looked at a similar problem recently and found that backslashes were being replaced with forward slashes by HTTP.sys before the requests were handed off to IIS. So, the Request Filtering module will never get a chance to block the request because it won't see the backslashes.
In more detail, I sent the following request
And the following showed up in Wireshark:
I also set up HTTP.sys event tracing to see what was happening before HTTP.sys handed the request off to IIS & .NET.
It showed the URL as being without a backslash:
As far as I can tell HTTP.sys is sanitizing the backslashes in the URL by replacing them with forward slashes. This behavior was documented for IIS 6 here:
It's also mentioned more recently here:
I got the same behavior on another server, so I suspect there's no way to do this with Request Filtering, in contrast to some of the documentation on iis.net. It would be great to get clearer confirmation from someone at MS, but I couldn't find anything.
Edit: Some of the above is either obsolete, incomplete, or inaccurate. See this answer for an example of rewriting a URL that contains backslashes.