Iis – weird POST request in IIS logs

iislogging

I noticed weird log entries (unless there's something i don't understand) in my IIS (7.5) logs.

it's an online dictionary with requests ( user friendly url rewriting ) and most of them are GET. However I noticed weird POST requests which are taking place by a person who is trying to crawl our content ( tens of thousands of such requests )

2013-11-09 20:39:27 GET /dict/mylang/word1 - y.y.y.y Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html) - 200 296
2013-11-09 20:39:29 GET /dict/mylang/word2 - z.z.z.z Mozilla/5.0+(iPhone;+CPU+iPhone+OS+6_0+like+Mac+OS+X)+AppleWebKit/536.26+(KHTML,+like+Gecko)+Version/6.0+Mobile/10A5376e+Safari/8536.25+(compatible;+Googlebot-Mobile/2.1;++http://www.google.com/bot.html) - 200 468

2013-11-09 20:39:29 POST /dict/mylang/word3 - x.x.x.x - - 200 2593

The two first requests are legal. Now for the third request, I don't think I have allowed cross domain POST. if that what the third log line means.

all those POST requests take that much time for unknown reasons to me. I would like to know how are those POST requests possible and how can I stop them.

p.s. I have masked the IPs on purpose.

any help would be appreciated! thank you in advance.

Best Answer

I'm not sure what you mean with 'cross domain post'. Also the post in the log does not have to be an AJAX request.

By default an resource on your site can be requested with various http verbs. Just because GET is used most often, there is nothing to prevent a client from using a POST when requesting the resource. That's what you see in the log.

Assuming you are using a modern IIS (7+) you can specify which verbs are allowed on a site, directory or file basis.

You are saying you are using some sort of routing, so you may not have directories or files, you can still set the allowed verbs, in your web.config add something like the following under the configuration root:

<location path="dict/mylang">
<system.webServer>
    <security>
        <requestFiltering>
            <verbs>
                <add verb="POST" allowed="false" />
            </verbs>
        </requestFiltering>
    </security>
</system.webServer>

In the location node you are telling IIS to just apply this for a specific URL, then you just say, don't allow any POST requests here. This is not possible in the IIS GUI.

Also you will still get entries in your log files, but they will be 404s with a sub-status of 6 (Verb denied) and they shouldn't take that long.

Related Topic