cancel
Showing results for 
Search instead for 
Did you mean: 

ASM blocked page redirect

Yozzer
Nimbostratus
Nimbostratus

When triggering an ASM signature we have a custom blocked page returned to the user who is then redirected to another page on the web server so that their session cookie is invalidated.

 

Attackers can suppress this redirect to stop the session from ending.

 

Is it possible for ASM to direct a request to a page on the web server to end the session that doesnt go via the browser first ? Or if an irule can be used instead?

 

Cheers

1 ACCEPTED SOLUTION

AlexBCT
MVP
MVP

I think via an iRule, you should be able to do this with the SIDEBAND command (https://clouddocs.f5.com/api/irules/SIDEBAND.html) - take the HTTP url that you currently have included in the redirect page, and should be able to use this in the iRule. (no personal experience with this one though).

 

Alternatively, are you familiar with ASM's Session Awareness functions? (Security  ››  Application Security : Sessions and Logins : Session Tracking) You can enforce the session management on the ASM box, rather than on the backend webserver. Once enabled, you can also tell the F5 to block off particular sessions, IP's or usernames after X violations. Personally I prefer this option above session management on the backend server.

View solution in original post

5 REPLIES 5

SanjayP
MVP
MVP

When F5 ASM sends the block page, it includes Connection: close header by default. If it's not included, you can add it in the custom block page settings. Shouldn't that be enough to delete/invalidate session cookies? May be you can capture some http trace and validate this behaviour.

Yozzer
Nimbostratus
Nimbostratus

Hi, thanks for responding.

 

will see if that helps. The session will still remain on the web server unless the blocked request is forwarded with the session cookie to a page that invalidates sessions. Will investigate if ASM commands via an irule will help.

 

cheers

AlexBCT
MVP
MVP

I think via an iRule, you should be able to do this with the SIDEBAND command (https://clouddocs.f5.com/api/irules/SIDEBAND.html) - take the HTTP url that you currently have included in the redirect page, and should be able to use this in the iRule. (no personal experience with this one though).

 

Alternatively, are you familiar with ASM's Session Awareness functions? (Security  ››  Application Security : Sessions and Logins : Session Tracking) You can enforce the session management on the ASM box, rather than on the backend webserver. Once enabled, you can also tell the F5 to block off particular sessions, IP's or usernames after X violations. Personally I prefer this option above session management on the backend server.

Yozzer
Nimbostratus
Nimbostratus

Thanks AlexBCT you helped a lot. I went down the Sideband route and it works perfectly to a http vip. I need to work out how to send the request to a https vip and which commands i need to add to handle the secure connection.

 

 

AlexBCT
MVP
MVP

Hi Yozzer,

 

Great to hear! A shoutout to @Jason Rahm for making me aware of the Sideband command in one of his "You want answers" videos 😉

 

If you can, would be great if you can flag the question as Resolved/Answered so the thread can be closed and help others as well.