remove request content/body on ASM_REQUEST_VIOLATION

Question

Hi,&nbsp;
&nbsp;Our goal is to allow the webapplications to serve up blocking pages (this is due to pages varying based on location within the same webapp).&nbsp;
&nbsp;The only way we've currently been able to manipulate the  request appropriately is to place the WAF into passthrough mode and detect ASM violations.&nbsp;
&nbsp;As the request is passed through, the original request (which should have been blocked in the WAF was in blocking mode) is served to the underlying webapplications.&nbsp;
&nbsp;In order to limit security risks, we intend on cleansing the incoming request by removing headers, querystrings and submitted content.&nbsp;
&nbsp;The bellow iRule achieves most of this, but we have been unable to find a way to strip out the content/body of the incoming request.&nbsp;
&nbsp;Is there any way of stripping out this content?&nbsp;&nbsp;&nbsp;Basic sanitizing iRule&nbsp;
&nbsp;when ASM_REQUEST_VIOLATION {&nbsp;
&nbsp;   HTTP::header sanitize "host"
&nbsp;   HTTP::header insert "ASM-VIOLATION-ID [lindex [ASM::violation_data] 1]"
&nbsp;   HTTP::header replace "connection" "close"&nbsp;&nbsp;
&nbsp;   HTTP::uri [HTTP::path]&nbsp;
&nbsp;}

hoolio · Answer

You should be able to replace the payload with nothing using ASM::payload: 
&nbsp;  
&nbsp;  http://devcentral.f5.com/wiki/default.aspx/iRules/ASM__payload.html 
&nbsp; ASM::payload replace 0 [ASM::payload length] "" 
&nbsp;  
&nbsp; Also be aware that HTTP::header sanitize won't remove all headers--it leaves these: 
&nbsp;  
&nbsp; Connection, Content-Encoding, Content-Length, Content-Type, Proxy-Connection, Set-Cookie, Set-Cookie2, and Transfer-Encoding 
&nbsp;  
&nbsp;  
&nbsp; HTTP::header sanitize [header name]+ 
&nbsp;  
&nbsp;     * Removes all headers except the ones you specify and the following: Connection, Content-Encoding, Content-Length, Content-Type, Proxy-Connection, Set-Cookie, Set-Cookie2, and Transfer-Encoding. 
&nbsp;     * Note that the Host header (required by HTTP/1.1) is removed unless explicitly specified. 
&nbsp;     * This command can be used in the client-side or server-side context, depending on whether you want to sanitize request and/or response headers. 
&nbsp;     * If you are using the command in the server-side context, you may want to consider adding Location to the list of retained headers if your application requires they be sent to clients. 
&nbsp;     * If you are using the command in the client-side context, you may want to consider adding Cookie, Accept, and Accept-Encoding to the list of retained headers. 
&nbsp;  
&nbsp;  
&nbsp; Aaron

wscott_99092 · Answer

Thanks Aaron, 
&nbsp;  
&nbsp; I had tried HTTP::payload but that seemed to only be able to append stuff at the beginning of the request body/content. I had assumed ASM::payload was for manipulating the response data (which is seems to do in ASM_REQUEST_BLOCKING). 
&nbsp;  
&nbsp; I did have additional steps to remove some of the headers mentioned, but left it out to simplify the request.

Forum Discussion

remove request content/body on ASM_REQUEST_VIOLATION

2 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

irule execution error

F5 AWAF/ASM learning only from Trusted traffic?

OWA File Upload URIs for WAF Bypass

Curl 7.10.5 < 8.12.0 Integer Overflow (CVE-2025-0725)

Show or List F5 XC Routes in the Web

Related Content

HTTP Request Smuggling Using Chunk Extensions (CVE-2025-55315)

Logging DNS Requests

Using Client Subnet in DNS Requests

HTTP Request Throttle

Node.js HTTP Message Body: Transfer-Encoding and Content-Length in LineRate lrs/virtualServer Module

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS