I have a website where I can't change the deployed code. However I can access the IIS it is running under.
I want to block one specific Web Method. I thought I could probably do this using IIS Request Fitering by adding a hiddenSegment or denyUrl - however this does not seem to be effective. URLRewrite is not installed.
Example endpoint from IIS logs :
2022-11-30 03:34:59 10.63.194.247 POST /webService.asmx/WebMethodToBlock - 80 MYDOMAIN\userid 10.240.41.95 PostmanRuntime/7.24.1 - 200 0 0 3951
I have tried add "WebMethodToBlock" as both a denyUrl and a hiddenSegment - but requests are still handled by IIS.
It may be pertinent that the WebMethod is a POST. I can't seem to establish from the docs whether denyUrl and hiddenSegment rules only apply to GETs?
If you want block all request with Post, just add this:
There isn't an obvious way to block a single page form POST on IIS. May be you can try a trick that POST method comes with a query sign "?" after the URL.