IIS Secure Parameter Filter (SPF)

Windows This is a Community Contributed Download

Supported byEmail, Phone, Knowledge base, Forums
Works WithIIS 6, IIS 7
DocumentationIIS Secure Parameter Filter (SPF) Documentation
Updated onJanuary 14, 2009
Uploaded bybholyfield


SPF is an application security module designed for Microsoft IIS web servers. SPF uses cryptography to dynamically secure embedded application parameters from manipulation at runtime. These parameters typically include Query String variables, non-editable HTML Form Inputs, Browser Cookies, and other variables set via client-side JavaScript. SPF does not require any changes to the underlying application code and provides instant protection against parameter tampering, URL manipulation and replay attacks. SPF also includes the capability to define forbidden input patterns (Black-Lists) using regular expressions to block known attack signatures.


Tamper Protection

The tamper protection capabilities of SPF are primarily designed to thwart authorization attacks. Tamper protection works at the following levels:

  • URI Protection - Protected URI's require a cryptographic token to access. The only way to obtain a valid URI token is for the application to present you with a link to the URI. This is primarily designed to thwart direct browsing attacks where users can forcefully request pages for which they are not entitled.
  • Query String Protection - Protected query string values are validated using a cryptographic token which ensures they were not tampered with. This protection is designed to secure embedded query string values from manipulation.
  • Form Field Protection - Protected form fields that contain embedded values (i.e. Hidden Fields and Select Lists) are protected to prevent un-authorized viewing or modification by malicious users.
  • HTTP Cookie Protection - Protected cookies are encrypted to prevent un-authorized viewing or modification by malicious users.

Replay & Forgery Protection

  • SPF tokens are bound to each unique session, resulting in the ability to protect against Cross-Site Request Forgery and thwart certain types of hijacking, replay, and cross-site scripting attacks. 

Malicious Input Filtering

Malicious input filtering (referred to as Black List Protection) is designed to identify parameters that include known attack patterns. SPF supports Black List pattern matching against Query Strings, Post Data, and Cookie values.

  • Regular Expression Support - Provide a powerful mechanism for defining malicious input patterns
  • Flexible Request Entity Coverage – Black List patterns can be applied to any combination of Query Strings, Post data or Cookie values. Specific URLs can also be excluded from Black List coverage for greater flexibility.


SPF will provide applications with instant protection against a variety of attacks with minimal configuration and without the need to touch the underlying application code.  SPF can also be used to provide robust protection against malicious application worms, such as those recently exploiting SQL injection vulnerabilities.  Unlike URLScan, SPF has the capability to protect all application-level parameters (including POST data) and is designed specifically to provide parameter-level protection for web applications. 


SPF supports IIS6 and IIS7.  The current version of SPF provides full protection for any application running on IIS7 and for ASP.NET applications running on IIS6. Non-ASP.NET applications on IIS6 will be limited to only the Malicious Input Filtering capabilities of SPF (due to the absence of the integrated pipeline on IIS6).