|Supported by||Email, Phone, Knowledge base, Forums|
|Works With||IIS 6, IIS 7|
|Documentation||IIS Secure Parameter Filter (SPF) Documentation|
|Updated on||January 14, 2009|
The tamper protection capabilities of SPF are primarily designed to thwart authorization attacks. Tamper protection works at the following levels:
- URI Protection - Protected URI's require a cryptographic token to access. The only way to obtain a valid URI token is for the application to present you with a link to the URI. This is primarily designed to thwart direct browsing attacks where users can forcefully request pages for which they are not entitled.
- Query String Protection - Protected query string values are validated using a cryptographic token which ensures they were not tampered with. This protection is designed to secure embedded query string values from manipulation.
- Form Field Protection - Protected form fields that contain embedded values (i.e. Hidden Fields and Select Lists) are protected to prevent un-authorized viewing or modification by malicious users.
- HTTP Cookie Protection - Protected cookies are encrypted to prevent un-authorized viewing or modification by malicious users.
Replay & Forgery Protection
- SPF tokens are bound to each unique session, resulting in the ability to protect against Cross-Site Request Forgery and thwart certain types of hijacking, replay, and cross-site scripting attacks.
Malicious Input Filtering
Malicious input filtering (referred to as Black List Protection) is designed to identify parameters that include known attack patterns. SPF supports Black List pattern matching against Query Strings, Post Data, and Cookie values.
- Regular Expression Support - Provide a powerful mechanism for defining malicious input patterns
- Flexible Request Entity Coverage – Black List patterns can be applied to any combination of Query Strings, Post data or Cookie values. Specific URLs can also be excluded from Black List coverage for greater flexibility.