iis

IIS restricted verbs still go through


I have this in my web.config

<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <hiddenSegments>
                    <remove segment="bin" />
                </hiddenSegments>
                <verbs allowUnlisted="false">
                    <add verb="GET" allowed="true" />   
                    <add verb="POST" allowed="true" />                      
                </verbs>
            </requestFiltering>
        </security>

....

When I check my log, I see requests are still getting through with the HEAD verb. What did I miss? Isn't it supposed to throw a 403 ?


Solution

  • I have tried the same configuration as yours at my side and with enabling the failed request tracing i found the WebDAV module is interfering with the request filtering rule. so i would like to suggest you to first remove the WebDAV moule from the list.

    Set the below in the config file:

     <system.webServer>
          <handlers>
                    <remove name="WebDAV" />
            <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
          </handlers>
          <aspNetCore processPath="dotnet" arguments=".\webapitest.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="inprocess" />
        </system.webServer>
      </location>
        <system.webServer>
            <tracing>
                <traceFailedRequests>
                    <add path="*">
                        <traceAreas>
                            <add provider="ASP" verbosity="Verbose" />
                            <add provider="ASPNET" areas="Infrastructure,Module,Page,AppServices" verbosity="Verbose" />
                            <add provider="ISAPI Extension" verbosity="Verbose" />
                            <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket,ANCM,Rewrite,RequestRouting" verbosity="Verbose" />
                        </traceAreas>
                        <failureDefinitions statusCodes="100-500" />
                    </add>
                </traceFailedRequests>
            </tracing>
            <modules>
                <remove name="WebDAVModule" />
            </modules>
            <security>
                <requestFiltering>
                    <verbs allowUnlisted="false">
                        <add verb="GET" allowed="true" />
                        <add verb="POST" allowed="true" />
                    </verbs>
                </requestFiltering>
            </security>
        </system.webServer>
    

    You will get the result as shown below:

    enter image description here

    enter image description here