protectQueryString & protectUri

Mar 30, 2011 at 6:10 PM

Hello,
 

I’ve been testing IIS SPF (v.1.06) on II7. The form state and form value protection works great. However, when I configure the SPF to protect the Uri or the query string, the token is not present and I get a 403.1 error when I click on a link.
 

I’m testing with both managed (.Net 3.5 and .4.0) and unmanaged code (classic ASP). Examples of my configuration are at the bottom.
 

Any assistance would be greatly appreciated.

 

Thanks,

-----------------------------------------------------------------------------------------------------------------------

UnManaged Code (where ‘/SPFTest’ is the name of the website):

<configuration>

  <configSections>

    <section name="spfConfig" type="IIS.SPF.Config.Options" />

  </configSections>

   <system.webServer>

    <modules runAllManagedModulesForAllRequests="true">

      <add name="IIS.SPF" type="IIS.SPF.CoreModule, IIS.SPF" preCondition="" />

    </modules>

         <defaultDocument>

                <files>

                       <add value="index.asp" />

                </files>

         </defaultDocument>

  </system.webServer>

   <spfConfig

         logDirectory="c:\temp\logs"

         protectFormValues="true"

         protectFormState="true"

         protectUri="true"

         protectQueryString="true"

         protectCookie="false"

         protectMode="Active"

         defaultUrl="/SPFTest/Index.asp"

         protectAllFileTypes="false"

         tokenTimeOut="86400"

         blackListCookie="false"

              blackListQueryString="false"

         blackListPost="false"

         bindSourceIp="false"

       bindSessionId="true"

         >

    <fileTypeExceptions>

    <add extension=".asp" protect="true"/>

   </fileTypeExceptions>

 

   <blackListPatterns>

    <add patternId="PatternNumberOne" patternRegex="\~\." applyTo="post"/>

   </blackListPatterns>

  </spfConfig>

</configuration> 

 

Managed (where ‘/Subscribers’ is the name of the website): 

<spfConfig logDirectory="c:\temp\logs"

                        protectFormValues="true"

                        protectFormState="true"

                        protectUri="true"

                        protectQueryString="true"

                        protectCookie="false"

                        protectMode="Active"

                        defaultUrl="/Subscribers/default.aspx"

                        protectAllFileTypes="false"

                        blackListCookie="false">

 

              <fileTypeExceptions>

                     <add extension=".aspx" protect="true"/>

              </fileTypeExceptions>

 

              <blackListPatterns>

                     <add patternId="PatternNumberOne" patternRegex="\~\." applyTo="all"/>

              </blackListPatterns>      

              <globalScriptProtections>

                     <scriptProtection functionName="__doPostBack">

                           <functionArguments>

                                  <add argumentName="eventTarget" protect="true" targetName="__EVENTTARGET" />

                                  <add argumentName="eventArgument" protect="true" targetName="__EVENTARGUMENT" />

                           </functionArguments>

                     </scriptProtection>

 

                     <scriptProtection functionName="WebForm_PostBackOptions">

                           <functionArguments>

                                  <add argumentName="eventTarget" protect="true" targetName="__EVENTTARGET"/>

                                  <add argumentName="eventArgument" protect="true" targetName="__EVENTARGUMENT" />

                                  <add argumentName="validation" protect="false"/>

                                  <add argumentName="validationGroup" protect="false"/>

                                  <add argumentName="actionUrl" protect="false"/>

                                  <add argumentName="trackFocus" protect="false"/>

                                  <add argumentName="clientSubmit" protect="false"/>

                           </functionArguments>

                     </scriptProtection>

              </globalScriptProtections>       

       </spfConfig>