Manual Chapter :
Configuring What Happens if a Request is Blocked
Applies To:
Show VersionsBIG-IP ASM
- 16.0.1, 16.0.0, 15.1.0, 15.0.1, 15.0.0
Configuring What Happens if a Request is Blocked
Overview: Configuring what happens if a request is blocked
The Application Security Manager™ has a default blocking response page that
it returns to the client when the client request, or the web server response, is blocked by the
security policy. The system also has a login response page for login violations. You can change
the way the system responds to blocked logins or blocked requests.
The system issues response pages only when the enforcement mode is set to
Blocking
.A security policy can respond to blocked requests in these ways:
- Default response
- Custom response
- Redirect URL
- SOAP fault
- Erase Cookies
The system uses default pages in response to a blocked request or blocked login. If the default
pages are acceptable, you do not need to change them and they work automatically. However, if you
want to customize the response, or include XML or AJAX formatting in the blocking responses, you
need to enable the blocking behavior first. You enable XML blocking on the XML profile, AJAX
blocking on the AJAX response page, and Cookie Hijacking on the Session Tracking screen.
All default response pages contain a variable,
<%TS.request.ID()%>
, that
the system replaces with a support ID number when it issues the page. Customers can use the
support ID to identify the request when making inquiries. Configuring
responses to blocked requests
You can configure the blocking
response that the system sends to the user when the security policy blocks a
client request.
- On the Main tab, click.The Response Pages screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- On the Default Response Page tab, for theResponse Typesetting, select one of the following options.OptionSystem Response to Blocked RequestDefault ResponseThe system returns the system-supplied response page in HTML. No further configuration is needed.Custom ResponseThe system returns a response page with HTML code that you define.Redirect URLThe system redirects the user to a specified web page.SOAP FaultThe system returns the system-supplied blocking response page in XML format. You cannot edit the text, but you need to selectUse XML Blocking Response Pageon the XML profile.Erase CookiesThe system deletes all client side domain cookies. As a result, the system blocks web application users once, and redirects them to the login page. Legitimate users can login and get new cookies. This feature is primarily for session hijacking.The settings on the screen change depending on the selection that you make for theResponse Typesetting.
- If you selected theCustom Responseoption, you can either modify the default text or upload an HTML file.To modify the default text:
- For theResponse Headerssetting, type the response header you want the system to send.
- For theResponse Bodysetting, type or paste the text you want to send to a client in response to an illegal blocked request. Use standard HTTP syntax.
- ClickShowto see what the response will look like.
To upload a file containing the response:- In theResponse Body, for theUpload Filesetting,clickChoose Fileto specify an HTML file that contains the response you want to send to blocked requests.
- ClickUploadto upload the file into the response body.
- If you selected theRedirect URLoption, then in theRedirect URLfield, type the URL to which the system redirects the user, for example,http://www.myredirectpage.com.The URL should be for a page that is not within the web application itself.For example, to redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format:http://www.myredirectpage.com/block_pg.php?support_id= <%TS.request.ID()%>The system replaces<%TS.request.ID%>with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
If the enforcement mode is blocking and
a request is blocked, the system displays the selected response page, erases
session cookies, or redirects the user to another URL depending on the
option you selected. If a request causes multiple violations and results in
more than one type of blocking page, only one will appear in this order:
- AJAX Response Page
- Cookie Hijacking Response Page
- XML Response Page
- Login Response Page
- Default Response Page
Configuring
responses to blocked logins
You can configure the blocking response that the
system sends to the user when the security policy blocks a client attempt to log in to
the application. This occurs when Application Security Manager mitigates brute force
login attacks.
- On the Main tab, click.The Response Pages screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- On the Default Response Page tab, for theResponse Typesetting, select one of the following options.OptionSystem Response to Blocked RequestDefault ResponseThe system returns the system-supplied response page in HTML. No further configuration is needed.Custom ResponseThe system returns a response page with HTML code that you define.Redirect URLThe system redirects the user to a specified web page.SOAP FaultThe system returns the system-supplied blocking response page in XML format. You cannot edit the text, but you need to selectUse XML Blocking Response Pageon the XML profile.Erase CookiesThe system deletes all client side domain cookies. As a result, the system blocks web application users once, and redirects them to the login page. Legitimate users can login and get new cookies. This feature is primarily for session hijacking.The settings on the screen change depending on the selection that you make for theResponse Typesetting.
- If you selected theCustom Responseoption, you can either modify the default text or upload an HTML file.To modify the default text:
- For theResponse Headerssetting, type the response header you want the system to send.
- For theResponse Bodysetting, type or paste the text you want to send to a client in response to an illegal blocked request. Use standard HTTP syntax.
- ClickShowto see what the response will look like.
To upload a file containing the response:- In theResponse Body, for theUpload Filesetting,clickChoose Fileto specify an HTML file that contains the response you want to send to blocked requests.
- ClickUploadto upload the file into the response body.
- If you selected theRedirect URLoption, then in theRedirect URLfield, type the URL to which the system redirects the user, for example,http://www.myredirectpage.com.The URL should be for a page that is not within the web application itself.For example, to redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format:http://www.myredirectpage.com/block_pg.php?support_id= <%TS.request.ID()%>The system replaces<%TS.request.ID%>with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
- ClickSaveto save your settings.
- To put the security policy changes into effect immediately, clickApply Policy.
If a user violates one of the preconditions when requesting the target URL of a
configured login page, the system displays the selected response page or redirect URL
depending on the option you selected.
Customizing responses to blocked XML requests
You can configure the blocking response that the system sends to the user when the
security policy blocks a client request that contains XML content, which does not comply
with the settings of an XML profile in the security
policy.
If you want to use the default SOAP response (SOAP Fault), you only need
to enable XML blocking on the profile.
- On the Main tab, click.The Response Pages screen opens.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Click theXML Response Pagetab.
- For theResponse Typesetting, selectCustom Response.
- In theResponse Headersfield, type the response header you want the system to send.Paste the default response header to use the system response that you can then edit.
- In theResponse Bodyfield:
- If you want to specify the content to send the client in response to an illegal blocked request, type the text using XML syntax.
- To upload a file containing the XML response, specify an XML file and clickUploadto upload the file into the response body.
ClickShowto see what the response will look like. - ClickSaveto save your settings.
- Make sure that the XML profile the application is using has blocking enabled:
- On the Main tab, click.
- Click name of the XML profile used by the application.
- Make sure that theUse XML Blocking Response Pagecheck box is selected.
- ClickUpdate.
- To put the security policy changes into effect immediately, clickApply Policy.
Configuring the
blocking response for AJAX applications
Before you can complete this task, you need to have already created a security policy
for your web application. The application needs to have been developed using ASP.NET,
jQuery, Prototype, or MooTools to use AJAX blocking behavior.
When the enforcement mode of the security policy
is set to blocking and a request triggers a violation (that is set to block), the system
displays the AJAX blocking response according to the action set that you define. If a
login violation occurs when requesting the login URL, the system sends a login response
page, or redirects the user.
- On the Main tab, click.
- In theCurrent edited security policylist near the top of the screen, verify that the security policy shown is the one you want to work on.
- Click theAJAX Response Pagetab.
- Select theEnable AJAX blocking behavior (JavaScript injection)?check box.The system displays the default blocking response and login response actions for AJAX.
- For theDefault Response Page actionsetting, select the type of response you want the application user to receive when they are blocked from the application:
- Custom Responselets you specify HTML text or upload a file to use as a replacement for the frame or browser page that generated the AJAX request. Include the text, then clickShowto preview the response.
- Popup messagedisplays text in a popup window (default text is included).
- Redirect URLredirects the user to the URL you specify. You can also include the support ID. For example:http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>.
- For theLogin Page Response action, select the type of response (types are the same as for default response page in Step 5).
- ClickSave.
- To put the security policy changes into effect immediately, clickApply Policy.