The security problem of the mapping file structure of Azure Web App and other IIS APP – part 3

Previously in part 1 and part 2, there was no final and easy-to-use solution to prevent bad guys to map your website. There is a final solution that works with On-Premise IIS and with Azure Web App. It is independent of Web Application Firewall and Front Door service.

 

The solution is based on rewrite, and based on information that we want to protect mapping for an example /a subdirectory and /b sbdirectory we should create the following config:

 

<?xml version=”1.0″ encoding=”UTF-8″?>

<configuration>

<appSettings>

<add key=”setting1″ value=”setting1″ />

</appSettings>

<system.webServer>

<rewrite>

<rules>

<rule name=”RequestBlockingRulea” stopProcessing=”true”>

<match url=”.*” />

<conditions>

<add input=”{URL}” pattern=”^/a(/?|/.)$” />

</conditions>

<action type=”CustomResponse” statusCode=”404″ statusReason=”Not Found” />

</rule>

<rule name=”RequestBlockingRuleb” stopProcessing=”true”>

<match url=”.*” />

<conditions>

<add input=”{URL}” pattern=”^/b(/?|/.)$” />

</conditions>

<action type=”CustomResponse” statusCode=”404″ statusReason=”Not Found” />

</rule>

</rules>

</rewrite>

<httpErrors errorMode=”Custom” existingResponse=”Replace” >

<remove statusCode=”500″/>

<error statusCode=”500″ path=”hostingstart.html” responseMode=”File”/>

<remove statusCode=”404″/>

<error statusCode=”404″ path=”hostingstart.html” responseMode=”File”/>

<remove statusCode=”400″/>

<error statusCode=”400″ path=”hostingstart.html” responseMode=”File”/>

<remove statusCode=”403″/>

<error statusCode=”403″ path=”hostingstart.html” responseMode=”File”/>

</httpErrors>

</system.webServer>

</configuration>

 

Rewrite rules return 404 Not Found for subdirectory /a and subdirectory /b and must be adjusted to your directories in your solution. Please be aware that access to /b/file.ext is not blocked.

If you have here underlying subdirectories pattern must be adjusted, e.g. allow only specific file extensions, etc.

The above solution is with custom error pages, and for clearance can be removed.