IIS 8 block request by JSON payload fields

Question

I have an MVC.NET 4 web server that accepts HTTP POST request with a JSON formatted string as the request data. I would like to add a rule in the IIS level before the request hits the server, to block request by some regex on that JSON string. Is that possible?

Answer 1

I think creating and adding a custom Http Module can solve your problem. An HTTP module is called on every request in response to the BeginRequest and EndRequest events.

Answer 2

Since you said:

I want it to be in the IIS level to void more load of the the web server level needing to create another thread for each request. The reason I want to block some request is that they are not relevant to my app anymore, the come in high load and I cannot stop them from the clients side

You have 2 choices:

1. Request Filtering
2. URL Rewriting

Please study the IIS 7.0 Request Filtering and URL Rewriting article carefully to know the most important things about them. If your selection would be first one with highest priority, The <denyQueryStringSequences> would be useful where it covers some filtering requirements. And for working with regex, you need to use the second one. the following sample rule can stop processing the request under the <rewrite>:

<rule name="Block Bad Request Strings" stopProcessing="true">
     <match url=".*" />
     <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
          <add input="{QUERY_STRING}" pattern="id=([^\"]*[^-]?>)|(?:[^\\w\\s]\\s*\\\/>)|(?:>\") />
     </conditions>
     <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission" />
</rule>

For more information see URL Rewrite Module Configuration Reference