TOPs dicas sobre IIS (Internet Informantion Service)

14 de junho de 2025
6 1 minuto de leitura

1) Bloquear requisições externas a /Trace.axd via web.config:

<!-- Bloquear acesso a /Trace.axd -->
<security>
  <requestFiltering>
	<hiddenSegments>
	  <add segment="Trace.axd" />
	</hiddenSegments>
  </requestFiltering>
</security>

Ou...

<!-- Bloquear acesso a /Trace.axd -->
    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="Trace.axd" />
        </hiddenSegments>
      </requestFiltering>
    </security>

2) Bloquear URLs com comandos ou caracteres maliciosos:

<!-- Bloquear URLs com comandos ou caracteres maliciosos -->
<rule name="Bloquear comandos maliciosos" stopProcessing="true">
  <match url=".*(;|\||nslookup|curl|wget|bxss\.me).*" ignoreCase="true" />
  <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Malicious pattern blocked" />
</rule>

OUTROS EXEMPLOS:

<system.webServer>
  <rewrite>
    <rules>
      <!-- Bloquear URLs com comandos ou caracteres maliciosos -->
      <rule name="Bloquear comandos maliciosos" stopProcessing="true">
        <match url=".*(;|\||\${|%00|%3B|%7C|cmd=|eval|exec|nslookup|curl|wget|bxss\.me|\.\/|etc\/passwd|\.jsp|\.asp|\.php).*" ignoreCase="true" />
        <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Malicious pattern blocked" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

<system.webServer>
  <rewrite>
    <rules>
      <rule name="Bloquear comandos e URLs maliciosos" stopProcessing="true">
        <match url=".*(;|\||\${|%00|%3B|%7C|cmd=|eval|exec|curl|wget|nslookup|bxss\.me|\.\/|etc\/passwd|\.jsp|\.asp|\.php|\.action|\.vm|\.lua|\.sh|\.conf|\.ini|\.env|\.bak|\.backup|\.sql|\.tar|\.gz|\.zip|\.rar|base64|powershell|file=|path=|cmdline|bash|/WEB-INF/|\.well-known/|/upload|\.pl|\.cgi|\.bat|\.py|\.rb|\.go|\.aspx|\.ashx).*" ignoreCase="true" />
        <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Bloqueado por segurança" />
      </rule>
    </rules>
  </rewrite>
</system.webServer>

3) Bloquear domínios maliciosos conhecidos:

<rule name="Bloquear domínios maliciosos conhecidos" stopProcessing="true">
  <match url=".*(bxss\.me|requestbin\.com|requestbin\.net|hookbin\.com|postb\.in|webhook\.site|webhookrelay\.com|dnslog\.cn|interact\.sh|oast\.me|oast\.pro|oast\.site|oast\.online|burpcollaborator\.net|canarytokens\.com|canarytokens\.org|xsshunter\.com|ezxss\.com|xss\.ht|pastebin\.com|hastebin\.com|ptsv2\.com|ngrok\.io|localhost\.run|serveo\.net|trycloudflare\.com|smee\.io|slack\.com|discord\.com|telegram\.org).*" ignoreCase="true" />
  <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Blocked by security policy" />
</rule>
14 de junho de 2025
6 1 minuto de leitura
Botão Voltar ao topo