For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MSZ's avatar
MSZ
Icon for Nimbostratus rankNimbostratus
May 17, 2016

Status Code 500

WAF is blocking request due to 500 code. (illegal HTTP status in Response)

 

Why WAF is blocked requests and how 500 code comes?

 

When request is blocked by WAF means it did not cross the WAF? As I know that 500 code is from Application crush.

 

Which thing in user request gets block message.

 

ASM Advanced WAF
BIG-IP
security

8 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 17, 2016

    Hello,

     

    500 status code indicates that you web server had an error for processing the request.

     

    ASM offload those response by default to avoid guessing issues. We don't want that the full error stack is displayed on the client browser. Information provided by servers sometimes help attackers to target an attack.

     

    You can disable 500 status code offloading by removing this status code from the list of unallowed status code in the main pagz of your security policy

     

    • MSZ's avatar
      MSZ
      Icon for Nimbostratus rankNimbostratus
      May 17, 2016
      If request is blocked at WAF then how a response comes from server? Confusing
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 17, 2016
      Hi, the setting we are talking about is one of them that do not block the request and just change the response because asm receive a 500 status code from the backend
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 17, 2016
      O'm talking about illegal HTTP status in Response violation that you grap in your asm event logs
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 17, 2016

    Hello,

     

    500 status code indicates that you web server had an error for processing the request.

     

    ASM offload those response by default to avoid guessing issues. We don't want that the full error stack is displayed on the client browser. Information provided by servers sometimes help attackers to target an attack.

     

    You can disable 500 status code offloading by removing this status code from the list of unallowed status code in the main pagz of your security policy

     

    • MSZ's avatar
      MSZ
      Icon for Nimbostratus rankNimbostratus
      May 17, 2016
      If request is blocked at WAF then how a response comes from server? Confusing
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 17, 2016
      Hi, the setting we are talking about is one of them that do not block the request and just change the response because asm receive a 500 status code from the backend
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 17, 2016
      O'm talking about illegal HTTP status in Response violation that you grap in your asm event logs