F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Arthur_7109's avatar
Arthur_7109
Icon for Nimbostratus rankNimbostratus
Jan 04, 2011

The Blocking Reponse Page is blocked and looping :-)

Hi there,   On our ASM, for the Blocking Reponse Page, we use a redirect to a page on the application server:     So the browser is requesting   https://the.server/path-to/blocking-pag...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 04, 2011
Hey Sam,

 

 

The downside to using an HTTP class with filters to selectively disable ASM is that TMM doesn't do any URL normalization. So if an attacker knew you were bypassing ASM for /path/to/blocking.page*, they could use a URI like /path/to/blocking.page/../../../attack.exe to get to /attack.exe without going through ASM.

 

 

That's why I really like Arthur's idea of sending an HTTP response from an iRule in the ASM_REQUEST_VIOLATION event when the URI is the blocking page. It's lighter weight than the sanitization iRule for 9.x ASM and still provides good security.

 

 

Aaron