Manual Chapter : Configuring What Happens if a Request is Blocked

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0
Manual Chapter

Configuring What Happens if a Request is Blocked

Overview: Configuring what happens if a request is blocked

The Application Security Manager has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. The system also has a login response page for login violations. You can change the way the system responds to blocked logins or blocked requests.
The system issues response pages only when the enforcement mode is set to
Blocking
.
A security policy can respond to blocked requests in these ways:
  • Default response
  • Custom response
  • Redirect URL
  • SOAP fault
  • Erase Cookies
The system uses default pages in response to a blocked request or blocked login. If the default pages are acceptable, you do not need to change them and they work automatically. However, if you want to customize the response, or include XML or AJAX formatting in the blocking responses, you need to enable the blocking behavior first. You enable XML blocking on the XML profile, AJAX blocking on the AJAX response page, and Cookie Hijacking on the Session Tracking screen.
All default response pages contain a variable,
<%TS.request.ID()%>
, that the system replaces with a support ID number when it issues the page. Customers can use the support ID to identify the request when making inquiries.

Configuring responses to blocked requests

You can configure the blocking response that the system sends to the user when the security policy blocks a client request.
  1. On the Main tab, click
    Security
    Application Security
    Policy
    Response Pages
    .
    The Response Pages screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. On the Default Response Page tab, for the
    Response Type
    setting, select one of the following options.
    Option
    System Response to Blocked Request
    Default Response
    The system returns the system-supplied response page in HTML. No further configuration is needed.
    Custom Response
    The system returns a response page with HTML code that you define.
    Redirect URL
    The system redirects the user to a specified web page.
    SOAP Fault
    The system returns the system-supplied blocking response page in XML format. You cannot edit the text, but you need to select
    Use XML Blocking Response Page
    on the XML profile.
    Erase Cookies
    The system deletes all client side domain cookies. As a result, the system blocks web application users once, and redirects them to the login page. Legitimate users can login and get new cookies. This feature is primarily for session hijacking.
    The settings on the screen change depending on the selection that you make for the
    Response Type
    setting.
  4. If you selected the
    Custom Response
    option, you can either modify the default text or upload an HTML file.
    To modify the default text:
    1. For the
      Response Headers
      setting, type the response header you want the system to send.
    2. For the
      Response Body
      setting, type or paste the text you want to send to a client in response to an illegal blocked request. Use standard HTTP syntax.
    3. Click
      Show
      to see what the response will look like.
    To upload a file containing the response:
    1. In the
      Response Body
      , for the
      Upload File
      setting,click
      Choose File
      to specify an HTML file that contains the response you want to send to blocked requests.
    2. Click
      Upload
      to upload the file into the response body.
  5. If you selected the
    Redirect URL
    option, then in the
    Redirect URL
    field, type the URL to which the system redirects the user, for example,
    http://www.myredirectpage.com
    .
    The URL should be for a page that is not within the web application itself.
    For example, to redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format:
    http://www.myredirectpage.com/block_pg.php?support_id= <%TS.request.ID()%>
    The system replaces
    <%TS.request.ID%>
    with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
  6. Click
    Save
    to save your settings.
  7. To put the security policy changes into effect immediately, click
    Apply Policy
    .
If the enforcement mode is blocking and a request is blocked, the system displays the selected response page, erases session cookies, or redirects the user to another URL depending on the option you selected. If a request causes multiple violations and results in more than one type of blocking page, only one will appear in this order:
  • AJAX Response Page
  • Cookie Hijacking Response Page
  • XML Response Page
  • Login Response Page
  • Default Response Page

Configuring responses to blocked logins

You can configure the blocking response that the system sends to the user when the security policy blocks a client attempt to log in to the application. This occurs when Application Security Manager mitigates brute force login attacks.
  1. On the Main tab, click
    Security
    Application Security
    Policy
    Response Pages
    .
    The Response Pages screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. On the Default Response Page tab, for the
    Response Type
    setting, select one of the following options.
    Option
    System Response to Blocked Request
    Default Response
    The system returns the system-supplied response page in HTML. No further configuration is needed.
    Custom Response
    The system returns a response page with HTML code that you define.
    Redirect URL
    The system redirects the user to a specified web page.
    SOAP Fault
    The system returns the system-supplied blocking response page in XML format. You cannot edit the text, but you need to select
    Use XML Blocking Response Page
    on the XML profile.
    Erase Cookies
    The system deletes all client side domain cookies. As a result, the system blocks web application users once, and redirects them to the login page. Legitimate users can login and get new cookies. This feature is primarily for session hijacking.
    The settings on the screen change depending on the selection that you make for the
    Response Type
    setting.
  4. If you selected the
    Custom Response
    option, you can either modify the default text or upload an HTML file.
    To modify the default text:
    1. For the
      Response Headers
      setting, type the response header you want the system to send.
    2. For the
      Response Body
      setting, type or paste the text you want to send to a client in response to an illegal blocked request. Use standard HTTP syntax.
    3. Click
      Show
      to see what the response will look like.
    To upload a file containing the response:
    1. In the
      Response Body
      , for the
      Upload File
      setting,click
      Choose File
      to specify an HTML file that contains the response you want to send to blocked requests.
    2. Click
      Upload
      to upload the file into the response body.
  5. If you selected the
    Redirect URL
    option, then in the
    Redirect URL
    field, type the URL to which the system redirects the user, for example,
    http://www.myredirectpage.com
    .
    The URL should be for a page that is not within the web application itself.
    For example, to redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format:
    http://www.myredirectpage.com/block_pg.php?support_id= <%TS.request.ID()%>
    The system replaces
    <%TS.request.ID%>
    with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
  6. Click
    Save
    to save your settings.
  7. To put the security policy changes into effect immediately, click
    Apply Policy
    .
If a user violates one of the preconditions when requesting the target URL of a configured login page, the system displays the selected response page or redirect URL depending on the option you selected.

Customizing responses to blocked XML requests

You can configure the blocking response that the system sends to the user when the security policy blocks a client request that contains XML content, which does not comply with the settings of an XML profile in the security policy.
If you want to use the default SOAP response (SOAP Fault), you only need to enable XML blocking on the profile.
  1. On the Main tab, click
    Security
    Application Security
    Policy
    Response Pages
    .
    The Response Pages screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click the
    XML Response Page
    tab.
  4. For the
    Response Type
    setting, select
    Custom Response
    .
  5. In the
    Response Headers
    field, type the response header you want the system to send.
    Paste the default response header to use the system response that you can then edit.
  6. In the
    Response Body
    field:
    • If you want to specify the content to send the client in response to an illegal blocked request, type the text using XML syntax.
    • To upload a file containing the XML response, specify an XML file and click
      Upload
      to upload the file into the response body.
    Click
    Show
    to see what the response will look like.
  7. Click
    Save
    to save your settings.
  8. Make sure that the XML profile the application is using has blocking enabled:
    1. On the Main tab, click
      Security
      Application Security
      Content Profiles
      XML Profiles
      .
    2. Click name of the XML profile used by the application.
    3. Make sure that the
      Use XML Blocking Response Page
      check box is selected.
    4. Click
      Update
      .
  9. To put the security policy changes into effect immediately, click
    Apply Policy
    .

Configuring the blocking response for AJAX applications

Before you can complete this task, you need to have already created a security policy for your web application. The application needs to have been developed using ASP.NET, jQuery, Prototype, or MooTools to use AJAX blocking behavior.
When the enforcement mode of the security policy is set to blocking and a request triggers a violation (that is set to block), the system displays the AJAX blocking response according to the action set that you define. If a login violation occurs when requesting the login URL, the system sends a login response page, or redirects the user.
  1. On the Main tab, click
    Security
    Application Security
    Policy
    Response Pages
    .
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click the
    AJAX Response Page
    tab.
  4. Select the
    Enable AJAX blocking behavior (JavaScript injection)?
    check box.
    The system displays the default blocking response and login response actions for AJAX.
  5. For the
    Default Response Page action
    setting, select the type of response you want the application user to receive when they are blocked from the application:
    • Custom Response
      lets you specify HTML text or upload a file to use as a replacement for the frame or browser page that generated the AJAX request. Include the text, then click
      Show
      to preview the response.
    • Popup message
      displays text in a popup window (default text is included).
    • Redirect URL
      redirects the user to the URL you specify. You can also include the support ID. For example:
      http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>
      .
  6. For the
    Login Page Response action
    , select the type of response (types are the same as for default response page in Step 5).
  7. Click
    Save
    .
  8. To put the security policy changes into effect immediately, click
    Apply Policy
    .