Forum Discussion

James_Betts_290's avatar
James_Betts_290
Icon for Cirrus rankCirrus
Oct 19, 2016

ASM issue, need to return HTTP 500 to client in certain cases

I've written a script that captures the "Content-Type" header from requests. In the event that ASM blocks the request, I need to respond to the client with one of three types of responses (I'm using ...
ASM Advanced WAF
asm_request_blocking
iRules
JSON
security
  • James_Betts_290's avatar
    James_Betts_290
    Oct 19, 2016

    This is not pretty but it works for the problem I had:

     

     Note:
 1. You must enable ASM events for the policy that you intend to invoke this with.
 2. Make a custom blocking response page that is nothing but spaces and CR/LF
    that is as large as the iFile that you will be putting in ASM::payload.
 3. In your iFile, use a "$" character where you want the ASM::support_ID to show

when HTTP_REQUEST {
    set CT [string tolower [HTTP::header Content-Type]]
   log local0. "ASM-R-H: Content: $CT"
}

when ASM_REQUEST_BLOCKING {
   log local0. "ASM-R-H: Blocking Content: $CT"
if the application type isn't SOAP then show the generic error
    if { ([string first $CT "application/soap"] < 0) && ([string first $CT "text/xml"] < 0) } {
        log local0. "ASM-R-H: HTML blocking [ASM::support_id]"
        ASM::payload replace 0 0 [string map "$ [ASM::support_id]" [ifile get "/Common/HTML-Error-Page"]]
        return
    }

handle SOAP errors
   log local0. "ASM-R-H: XML blocking [ASM::support_id]"
    ASM::payload replace 0 0 [string map "$ [ASM::support_id]" [ifile get "/Common/SOAP-Error-Response"]]
    return
}

when ASM_REQUEST_DONE {
    if { not (([ASM::status] equals "blocked") || ([ASM::status] equals "alarmed")) } { return }
    if { ([string first $CT "application/json"] < 0) && ([string first $CT "application/javascript"] < 0) } { return }
    ASM::unblock
   log local0. "ASM-R-H: alarm status [ASM::status]"
    set JSONProblem [ASM::support_id]
}

when HTTP_RESPONSE {
    if { $JSONProblem == "" } { return }
   log local0. "ASM-R-H: alarm status $JSONProblem"
    HTTP::respond 500 content "Support ID $JSONProblem"
}

     

gowenfawr's avatar
gowenfawr
Icon for Nimbostratus rankNimbostratus
Oct 19, 2016

First of all, both your cases 1 and 2 can be checked in HTTP_REQUEST, where you could use an HTTP::respond 200 or an HTTP::respond 500 however you wished. But let's presume that you meant something about Content-Type: application/json is triggering the ASM and you'd like to generate that 500 response as per the ASM being triggered.

As you've found, you cannot initiate an HTTP::respond from within whichever ASM event you're using (e.g., ASM_REQUEST_BLOCKING). Instead, while you're in the ASM event set a variable and then hook the HTTP_RESPONSE_RELEASE event to modify the response that's going out to the client.

For example:

 

when HTTP_REQUEST {
    set asm_disliked_content_type 0
}

when ASM_REQUEST_BLOCKING {
    set asm_info [ASM::violation_data]
    if {[string first {VIOLATION_CONTENT_TYPE} [lindex $asm_info 0]] != -1} {
        set asm_disliked_content_type 1
    }
}

when HTTP_RESPONSE_RELEASE {
    if {$asm_disliked_content_type == 1} {
        HTTP::respond 500 content "Buzz Off"
        event disable all
        return
    }
}

 

Note that I made up VIOLATION_CONTENT_TYPE so this code won't work without adjustment... But the point is to show how you can use variables to maintain state from one event to another.