Forum Discussion

Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
May 25, 2016

Enable AJAX blocking behavior (JavaScript injection)?

Hi,

 

Does someone know exactly what kind of javascript is injected by this ASM feature and how it works exactly ?

 

Best Regards

 

Yann

 

ASM Advanced WAF
BIG-IP
security

2 Replies

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    May 26, 2016

    Hello Yann, will have to dig into it. My guess so far is that ajax requests are not interactive with the end user most of the time, what i mean is you use it to retrieve content to be used by the pages locally. So an error page will not be displayed by the return of an ajax call. The feature seems to respond with a javascript which will be interpreted by the browser and lauching a popup with the error message.

     

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 11, 2016

    Final results :

     

    Bug 1 : even if you disable AJAX response in your security policy, you get an AJAX response page as long as there is x-ts-ajax-request:true header present in the request.

     

    Bug 2 : The feature inject a javascript code within the site which works fine for all browsers except IE11. The browser refuse to execute the code for security reasons. After checking, it sounds that it's a bug on IE11, but Microsoft states in a blog post that only security issues will be fixed. After digging into the Internet Explorer configuration, this is working when we set Compatibility Mode to IE8 but most of modern websites fail in that case.