Forum Discussion

THE_BLUE's avatar
THE_BLUE
Icon for Cirrostratus rankCirrostratus
Oct 02, 2023

Response and blocking page

I need to customize the blocking page by adding the name of the block. Not all violations, only what the user can understand, for example, if there is a meta character in value, and so on. This will help us a lot, so the client will know what the reason for the block is so that they can fix it immediately, for example, not using characters in the value.

How do I achieve this?

  • Hi THE_BLUE , 

    I believe that you can do that but with a complex irule that returns each time the Violation name and reply back with the proper HTML response page regarding that violation. 
    look at this : https://clouddocs.f5.com/api/irules/ASM__violation.html



    But I see that complex and much weird , what if an attacker try to perform simple attack to your webside ( He will know why he is blocked ) this will let him know a useful info about your application easly , then I think he will be able to compromise you. 

    That doesn't make sense to do such this solution really , that's my opinion. 

  • Hi THE_BLUE,

    you can use this iRule, it's pretty verbose. And I totally agree with Mohamed_Ahmed_Kansoh, you will give valuable information to any potential attacker. 

    when ASM_REQUEST_BLOCKING {
        set x [ASM::violation_data]
        #marker bit to handle header change
        set activeViolation 1
    
        for {set i 0} { $i < 7 } {incr i} {
            switch $i {
            0         { set violation "violation=[lindex $x $i]" }
            1         { set support_id "support_id=[lindex $x $i]" }
            2         { set web_application "web_application=[lindex $x $i]" }
            3         { set severity "severity=[lindex $x $i]" }
            4         { set source_ip "source_ip=[lindex $x $i]" }
            5         { set attack_type "attack_type=[lindex $x $i]" }
            6         { set request_status "request_status=[lindex $x $i]" }
                }
            }
    
        set response "<html><head><title>Request Rejected</title></head>\
        <body>The requested URL was rejected. Please consult with your administrator.<br><br>\
        Your support ID is: $support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>\
        Your $violation<br>\
        Your $web_application<br>\
        Your $severity<br>\
        Your $source_ip<br>\
        Your $attack_type<br>\
        Your $request_status<br></body></html>"
    
    
        ASM::payload replace 0 [ASM::payload length] ""
        ASM::payload replace 0 0 $response
    }
    
    when HTTP_RESPONSE_RELEASE {
       #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
       catch {
           #do only if  previous was event ASM_REQUEST_BLOCKING
           if { $activeViolation } {
               #modify respose header
               HTTP::header remove Content-Length
               HTTP::header insert header_1 value_1
           }
       }
    }

    You could/should add in if-clause to execute this iRule only for RFC1918 IP addresses. For example: 

    if { [class match [IP::client_addr] equals private_net] } { do this stuff }

    And you should do a performance test of this iRule. I actually never did that 🤔

    KR
    Daniel

  • Hi THE_BLUE , 

    I believe that you can do that but with a complex irule that returns each time the Violation name and reply back with the proper HTML response page regarding that violation. 
    look at this : https://clouddocs.f5.com/api/irules/ASM__violation.html



    But I see that complex and much weird , what if an attacker try to perform simple attack to your webside ( He will know why he is blocked ) this will let him know a useful info about your application easly , then I think he will be able to compromise you. 

    That doesn't make sense to do such this solution really , that's my opinion. 

  • Hi THE_BLUE,

    you can use this iRule, it's pretty verbose. And I totally agree with Mohamed_Ahmed_Kansoh, you will give valuable information to any potential attacker. 

    when ASM_REQUEST_BLOCKING {
        set x [ASM::violation_data]
        #marker bit to handle header change
        set activeViolation 1
    
        for {set i 0} { $i < 7 } {incr i} {
            switch $i {
            0         { set violation "violation=[lindex $x $i]" }
            1         { set support_id "support_id=[lindex $x $i]" }
            2         { set web_application "web_application=[lindex $x $i]" }
            3         { set severity "severity=[lindex $x $i]" }
            4         { set source_ip "source_ip=[lindex $x $i]" }
            5         { set attack_type "attack_type=[lindex $x $i]" }
            6         { set request_status "request_status=[lindex $x $i]" }
                }
            }
    
        set response "<html><head><title>Request Rejected</title></head>\
        <body>The requested URL was rejected. Please consult with your administrator.<br><br>\
        Your support ID is: $support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>\
        Your $violation<br>\
        Your $web_application<br>\
        Your $severity<br>\
        Your $source_ip<br>\
        Your $attack_type<br>\
        Your $request_status<br></body></html>"
    
    
        ASM::payload replace 0 [ASM::payload length] ""
        ASM::payload replace 0 0 $response
    }
    
    when HTTP_RESPONSE_RELEASE {
       #catch for error if variable does not exist (no previous event ASM_REQUEST_BLOCKING)
       catch {
           #do only if  previous was event ASM_REQUEST_BLOCKING
           if { $activeViolation } {
               #modify respose header
               HTTP::header remove Content-Length
               HTTP::header insert header_1 value_1
           }
       }
    }

    You could/should add in if-clause to execute this iRule only for RFC1918 IP addresses. For example: 

    if { [class match [IP::client_addr] equals private_net] } { do this stuff }

    And you should do a performance test of this iRule. I actually never did that 🤔

    KR
    Daniel