Forum Discussion

Amit585731's avatar
Amit585731
Icon for Nimbostratus rankNimbostratus
Apr 26, 2018

Enabling HTTP CHeck for specific URI

HI All,   I am trying to disable HTTP check (Body in GET or HEAD requests) for specific URI. Is there a way I can disable in ASM for only one URI.   Thanks.  
application delivery
ASM Advanced WAF
security
canttalkeating's avatar
canttalkeating
Icon for Altocumulus rankAltocumulus
Sep 05, 2018

I can understand that disabling the Body in HEAD or GET check within the ASM policy would resolve the issue being experienced by the client without having to remove the URI from blocking all together but this request type is not normal behavior and is checked by the ASM policy to ensure nothing malicious is being added to the GET or HEAD request. Only POST should contain Body therefore by disabling this check you are opening yourself up to a vulnerability.

 

I would like to know peoples opinions on this, particulary their thoughts on why we are seeing Body in GET or HEAD requests i.e. how this is occurring and also how people feel about turning off check for this within the policy and the potential implications of this opening up the application to a possible attack.

 

Thanks

 

David