For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ghislain_Pellet's avatar
Ghislain_Pellet
Icon for Nimbostratus rankNimbostratus
Jan 11, 2017

Blocking Response Page seems to be blocked

We've set up a custom blocking response page on our site but it seems to be blocked when an illegal request is detected. The custom page is a contact form that, when filled by the client, enables us ...
ASM Advanced WAF
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Jan 12, 2017

Hi Ghislain,

I'm using a layered approach for my violation pages.

  1. If an violation occours somewhare on the page, the request will be redirected to the landing page, with a query string appended containing an b64encoded SupportID (e.g. 
    /default.html?RequestID=[b64encode [ASM::support_id]]
    ).
  2. If a violation occours and a the RequestID parameter is present, the violation response will not trigger the HTTP-Redirect to the landing page again. Instead it will directly serve a HTTP Err403 response to the client that the request was blocked.

This behavior gives us a good user experience (no explicit error messages), still allows easy troubleshootings (via embedded query string information) and implements a decent protection for redirect loops, which may occour if the redirected request to the error page would trigger a violation again (e.g. disallowed/misconfigured user-agents, etc.).

Cheers, Kai