Skip to content

Instantly share code, notes, and snippets.

@gsherman

gsherman/web.config

Created January 24, 2011 18:35
Show Gist options
  • Save gsherman/793678 to your computer and use it in GitHub Desktop.
Save gsherman/793678 to your computer and use it in GitHub Desktop.
Download ZIP
example of a web config that uses the URL rewrite module to block potentially dangerous querystring. works on IIS7 and classic asp.
Raw
web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<!--
Block potentially dangerous querystrings.
Requires the IIS7 URL Rewrite Module, available from: http://www.iis.net/download/urlrewrite
-->
<rewrite>
<rules>
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions logicalGrouping="MatchAny">
<add input="{QUERY_STRING}" pattern="*&lt;*>*" />
<add input="{QUERY_STRING}" pattern="javascript" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="A potentially dangerous Request.QueryString value was detected from the client." statusDescription="The URL contains potentially unsafe characters." />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
@cyntss
Copy link

cyntss commented Oct 4, 2015

can I ask you something related to rewriting rules?

I have these two rules:

      <rule name="Rewrite Contact">
       <match url="^en/contact" />
       <action type="Rewrite" url="en/contacto.asp" />
      </rule>

      <rule name="Rewrite Contact sent">
       <match url="^en/contact/([_0-9a-z-]+)" />
       <action type="Rewrite" url="en/contacto.asp?msg={R:1}" />
      </rule>

But it seems like IIS is only taking the first one. Basically I have the contacto.asp file which can weather receive or not a parameter. Do you know how I could do that?

@cyntss
Copy link

cyntss commented Oct 4, 2015

found the solution.. just in case someone else needs the same:

Just needed to add the $ at the end of the first rule

      <rule name="Rewrite Contacto">
       <match url="^en/contact$" />
       <action type="Rewrite" url="en/contacto.asp" />
      </rule>

      <rule name="Rewrite Contacto envia">
       <match url="^en/contact/([_0-9a-z-]+)" />
       <action type="Rewrite" url="en/contacto.asp?msg={R:1}" />
      </rule>

@PabloGim
Copy link

Be careful with MSIECrawler|msnbot as it may stop Bing bot to crawl your site.

@juanpabloaragon
Copy link

Thank you @cyntss.

@claudiomartinez123
Copy link

Hi friends, researching various topics here and elsewhere about friendly urls,
You didn't find what I need and couldn't adapt either.
And so:

I have a site that contains an original URL like this: jornadadepodologia.com.br/cursos-detalhes.asp?id_curso=82&curso_nome=ONLINE-PROCEDIMENTOS-PODOLOGICOS-EM-UNHAS-MICOTICAS

I was able to put together an url like this: jornadadepodologia.com.br/new/ONLINE-PROCEDIMENTOS-PODOLOGICOS-EM-UNHAS-MICOTICAS-idpllq82

where "-idpllq82" is the course parameter identifier.

Here's how I can extract the ID that is 82 through SPLIT in ASP.

I would like a URL to be created like this: jornadadepodologia.com.br/ONLINE-PROCEDIMENTOS-PODOLOGICOS-EM-UNHAS-MICOTICAS

but you need to pass the "course_id" parameters to the courses-details.asp page without appearing in the url, leaving a url as above.

Can someone help me.

I thank you for your help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment