Disallow query parameters on certain files in IIS 7.5 or with .NET

Question

Is there a generic way to disallow querystring parameters on a for example .swf files in IIS 7 or using .Net?

We have an appllication with a thrid party swf file that allows XSS by calling it with certain query string parameters. Therefore we want to disable the parameters in a generic way.

The only thing that comes to my mind is writing a handler that reroutes the file call to a call with no parameters.

Answer 1

You don't need an Handler, just a new IIS Rewrite rule that will match yourfile.swf?* and will rewrite it as yourfile.swf (explicitly without appending querystring).

Something like (didn't check it):

<configuration>
<system.webServer>
    <rewrite>
        <rules>
            <rule name="strip_querystring" patternSyntax="Wildcard" stopProcessing="true">
                <match url="yourfile.swf*" />
                <action type="Rewrite" url="yourfile.swf" appendQueryString="false" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>