In IIS7 & 8 Request Filtering feature, you can have rules to allow or deny URL and QueryString.
I get why you would want to block sequences that comes in with attack vectors such as drop or document.cookie but how do you know what querystrings to block, except allow ones you know and block everything else?
Has anyone got any feedback or links on best practise?
Ok, in the help it refers to the old UrlScan feature scenarios, but here is a link to the updated scenarios. Using Enhanced Request Filtering Features in IIS7
In a nutshell:
You might only want to allow URLs /login.aspx and /default.aspx - these would be put in the allow URL section.
Also, you might want to allow the querystring Allow=true but disallow any querystring that includes the sequence .. or ./
