Web App Denial of Service mitigation on IIS

Targets Web
1

Hi all,

I have several web apps running on a Windows server that are affected by the DecodeURLComponent glitch. It’s using IIS as a reverse proxy, but when a visitor hits a malformed URL, it crashes the app service, killing all active WebSessions and taking the app completely offline for about 20 seconds before the service restarts.

Unfortunately Xojo versions newer than 2025r2 do not render my html properly so recompiling with 2026r1.2 is not an option at this time.

I see there are ways to filter the bad requests on Apache and Nginx, how is this done on IIS?

2

Answering my own question. Here’s a tutorial for anyone who needs the help.

You will need the URL Rewrite module; you probably already have it in order to make the Reverse Proxy work with your Xojo Web App. Grab it here: https://www.iis.net/downloads/microsoft/url-rewrite

Step2
Step21862×1204 241 KB

Open your website in IIS Manager, and open the URL Rewrite module. You can see here I already have the reverse proxy set up for my app. Click Add Rule(s)…

Step3
Step31356×906 174 KB

Select Blank rule and click OK.

Step4
Step41890×1218 159 KB

For Name, you can enter any name you like, here I’ve used “Xojo Fix”.
You want Requested URL to be “Matches the pattern” and the Pattern is .*

Step5
Step51890×1218 184 KB

Expand the Conditions group and change the Logical grouping selection to Match Any. Click the Add button.

Step6
Step6956×636 78.5 KB

For Condition Input, leave it at {QUERY_STRING}. Set the Pattern to %(?![0-9a-fA-F]{2}). Click OK.

Step7
Step71888×1210 175 KB

You’ll see the new condition in the list. Click Add again.

Step8
Step8956×634 77.3 KB

This time, change Condition Input to {UNENCODED_URL}. For the Pattern, use the same as before: %(?![0-9a-fA-F]{2}). Click OK.

Step9
Step91888×1206 198 KB

In the “Action” section, change the Action Type to Custom Response. You can use whatever error codes and messages you like; I chose 400, Bad URL, and A malformed URL was submitted. Fill in all these entries and click Apply in the top right. After that, click Back to Rules, also in the top right.

Step10
Step101890×1214 266 KB

You’ll see your new “Xojo Fix” rule in the list. However, the Reverse Proxy rule still takes priority over it. Select your new “Xojo Fix” rule and click Move Up to move it to the top of the list, above the Reverse Proxy rule. Click Yes to confirm the change.

Done
Done1890×1216 249 KB

That should do it! If it looks like this, now users submitting a malformed URL will get a 400 error while properly formed query strings should still flow through.

7 Likes
3

You can also add the following rule above your reverse proxy rule in your site’s web.config, within the configuration > system.webServer > rewrite > rules path:

<rule name="Xojo Fix" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{QUERY_STRING}" pattern="%(?![0-9a-fA-F]{2})" />
<add input="{UNENCODED_URL}" pattern="%(?![0-9a-fA-F]{2})" />
</conditions>
<action type="CustomResponse" statusCode="400" statusReason="Bad URL" statusDescription="A malformed URL was submitted." />
</rule>
1 Like