Forum Discussion
NimbostratusEnabling HTTP CHeck for specific URI
HI All,
I am trying to disable HTTP check (Body in GET or HEAD requests) for specific URI. Is there a way I can disable in ASM for only one URI.
Thanks.
Yes, you can disable ASM for a specific URI by using a LTM policy. For example:
In the LTM policy, add a rule with condition :
HTTP Uri path starts with /somethingand with action
disable ASM
youssef1Cumulonimbus
Hello,
Hope to understand your need!!!
you want something like that:
when HTTP_REQUEST { set method [string tolower [HTTP::method]] set [HTTP::uri] if { $uri starts_with "/blabla"} { switch $method { "get" - "head" { ASM::disable } default { don't do anything... } } } }- canttalkeating
Altocumulus
I can understand that disabling the Body in HEAD or GET check within the ASM policy would resolve the issue being experienced by the client without having to remove the URI from blocking all together but this request type is not normal behavior and is checked by the ASM policy to ensure nothing malicious is being added to the GET or HEAD request. Only POST should contain Body therefore by disabling this check you are opening yourself up to a vulnerability.
I would like to know peoples opinions on this, particulary their thoughts on why we are seeing Body in GET or HEAD requests i.e. how this is occurring and also how people feel about turning off check for this within the policy and the potential implications of this opening up the application to a possible attack.
Thanks
David
