For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ghislain_Pellet's avatar
Ghislain_Pellet
Icon for Nimbostratus rankNimbostratus
Jan 11, 2017

Blocking Response Page seems to be blocked

We've set up a custom blocking response page on our site but it seems to be blocked when an illegal request is detected. The custom page is a contact form that, when filled by the client, enables us to contact him/her to solve the issue. The page is in the Allowed URLs list. The blocking response page is on the same server/domain as the monitored website.

 

The URI is something like https://mydomain.com/errorpage.php

 

Any idea on how to tell the F5 to NEVER BLOCK this URL?

 

ASM Advanced WAF
security

3 Replies

  • crodriguez's avatar
    crodriguez
    Ret. Employee
    Jan 12, 2017

    When a request is blocked by ASM, that happens before the connection is ever proxied to the back end server. You can configure a custom blocking response in ASM so that, when ASM does block a request, the client is redirected to a different location, such as your custom PHP form. See this article here: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/25.html

     

    Although it's for 11.5, you can check the equivalent on later releases.

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 12, 2017

    Hi Ghislain,

    I'm using a layered approach for my violation pages.

    1. If an violation occours somewhare on the page, the request will be redirected to the landing page, with a query string appended containing an b64encoded SupportID (e.g. 
      /default.html?RequestID=[b64encode [ASM::support_id]]
      ).
    2. If a violation occours and a the RequestID parameter is present, the violation response will not trigger the HTTP-Redirect to the landing page again. Instead it will directly serve a HTTP Err403 response to the client that the request was blocked.

    This behavior gives us a good user experience (no explicit error messages), still allows easy troubleshootings (via embedded query string information) and implements a decent protection for redirect loops, which may occour if the redirected request to the error page would trigger a violation again (e.g. disallowed/misconfigured user-agents, etc.).

    Cheers, Kai

  • Abdessamad1's avatar
    Abdessamad1
    Icon for Cirrostratus rankCirrostratus
    Aug 31, 2018

    Another solution to this loop problem would be to remove all elements coming from the initial request that could cause the violation on the blocking response page. These could be in the Referer header or in the cookies.

    when HTTP_REQUEST {

    if { [HTTP::uri] starts_with "/my-blocking-response-page" }{
        if { [HTTP::header exists Referer] }{
            HTTP::header remove Referer
        }
        foreach cookiename [HTTP::cookie names] {
            switch -glob $cookiename {
                "a-cookie-I-want-to-keep-1" -
                "a-cookie-I-want-to-keep-2" {}
                default {
                    HTTP::cookie remove $cookiename
                }
            }
        }
    }
}