In IIS URL Rewrite, I need to Abort all requests, Excepted those which :
- do not have any querystring parameter
- or
- do have one or more querystring parameters within a limited set of querystring parameters.
Every request with one or more querystring parameters outside of the limited set will get an AbortRequest.
So for example :
- https://mysite123/page.html Will be accepted
- https://mysite123/page.html?allowed3=ccc Will be accepted
- https://mysite123/page.html?allowed1=aaa&allowed2=bbb Will be accepted
- https://mysite123/page.html?allowed1=aaa&disallowed4=nope Will be rejected
I've been playing and fiddling for days, but did not come to a working solution.
Here is what I've achieved so far : Parameters allowed1, ... allowed4 are allowed, but any others are not.
So far, this rule is too permissive, because if I specify the "allowed1" parameter with the "z" parameter, the request is accepted... but I want it to be blocked due to the presence of "z".
The tricky part is that I do now know in advance the order of my allowed parameter, nor their number. A valid request could contain the "allowed1" parameter, or the "allowed1" + "allowed3" parameters, or only "allowed4". But the "z" parameter should be rejected, even if one of the whitelisted ones is present.
<rule name="Accept Requests Without parameters, or with Only whitelisted ones" stopProcessing="true">
<match url="(.*)" ignoreCase="true" negate="false"/>
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{QUERY_STRING}" pattern="((^.{0}$)|(((^|\?|&)(allowed1|allowed2|allowed3|allowed4)=)))" negate="true" ignoreCase="true" />
</conditions>
<action type="AbortRequest"/>
</rule>