1 Filter Based on URL Sequences禁止输入URL直接访问WEB画面
<configuration>
<system.webServer>
<security>
<requestfiltering>
<denyurlsequences>
<add sequence=".."/>
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
</configuration>
2 Filter by Verbs 过滤访问动词,例如只允许Get方法的访问。
<configuration>
<system.webServer>
<security>
<requestfiltering>
<verbs allowUnlisted="false">
<add verb="GET" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
3 Filter Based on Request Limits.对Request的过滤。
包括Request总长度,URL长度,查询字符串的长度。
<configuration>
<system.webServer>
<security>
<requestfiltering>
<requestLimits
maxAllowedContentLength="30000000"
maxUrl="260"
maxQueryString="25" />
</requestFiltering>
</security>
</system.webServer>
</configuration>
4 Filter Based on File Extensions 过滤访问文件的后缀名。
例如禁止.asp,.xml的访问.
<configuration>
<system.webServer>
<security>
<requestfiltering>
<fileextensions allowUnlisted="true" >
<add fileExtension=".asp" allowed="false"/>
<add fileExtension=".xml" allowed="false"/>
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>
5 Filter High Bit Characters 禁止包含非ASCII码的Request访问。
<configuration>
<system.webServer>
<security>
<requestFiltering allowHighBitCharacters="true" />
</security>
</system.webServer>
</configuration>
6 Filter Out Hidden Segments禁止访问子目录下的部分目录
例 有http://test.com/A, http://test.com/B两个目录,只想A被访问。
<configuration>
<system.webServer>
<security>
<requestfiltering>
<hiddensegments>
<add segment="A"/>
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>
7 Filter Double-Encoded Requests 过滤二次编码的请求,回避二次编码攻击。
<configuration>
<system.webServer>
<security>
<requestFiltering
allowDoubleEscaping="false">
</requestFiltering>
</security>
</system.webServer>
</configuration>
什么是二次编码请求攻击, 将在下一篇详细说明。
没有评论:
发表评论