Applies To:Show Versions
Application security for applications that use AJAX
Application Security Manager™ can protect AJAX applications including those that use JSON or XML for data transfer between the client and the server. If the AJAX application uses XML for data transfer, the security policy requires that an XML profile be associated with a URL or parameter. If the AJAX application uses JSON for data transfer, the security policy requires that a JSON profile be associated with a URL or parameter. If the AJAX application uses HTTP for data transfer, no profile is needed.
Some web applications use AJAX authentications that submit the login form as an AJAX POST request, with the login details and response in JSON format. If so, you can create a login page with an authentication type of JSON/AJAX Request to protect against brute force attacks. You can use this login URL when configuring session awareness or login enforcement.
You can also set up AJAX blocking response behavior for applications so that if a violation occurs during AJAX-generated traffic, the system displays a message or redirects the application user to another location.
Overview: Creating a security policy for applications that use AJAX
Creating a simple security policy
On the Main tab, click
.The Policies List screen opens.
Click Create New Policy.
You only see this button when no policy is selected.
- In the Policy Name field, type a name for the policy.
- Leave Policy Type, set to Security.
- For Policy Template, select Fundamental.
For Virtual Server, click Configure new
virtual server to specify where to direct application
- For What type of protocol does your application use?, select HTTP, HTTPS, or both.
- In the Virtual Server Name field, type a unique name.
In the HTTP Virtual Server Destination field,
type the address in IPv4 (10.0.0.1) or IPv6
(2001:ed8:77b5:2:10:10:100:42/64) format, and
specify the service port.
Tip: If you want multiple IP addresses to be directed here, use the Network setting.
- In the HTTP Pool Member setting, specify the addresses of the back-end application servers.
- From the Logging Profile list, select a profile such as Log illegal requests to determine which events are logged on the system.
In the upper right corner, click Advanced.
You can use default values for the Advanced settings but it's a good idea to take a look at them.
- If you selected
Comprehensive for the Policy
Template, Learning Mode is set to
Automatic and Enforcement
Mode is set to Blocking.Tip: If you need to change these values, set application language to a value other than Auto detect.
- If you know the Application Language, select it or use Unicode (utf-8).
- To add specific protections (enforcing additional attack signatures) to the policy, for Server Technologies, select the technologies that apply to the back-end application servers.
- You can configure trusted IP addresses that you want the security policy to consider safe.
- If you selected Fundamental or Comprehensive for the Policy Template, Learning Mode is set to Automatic and Enforcement Mode is set to Blocking.
- Click Create Policy to create the security policy.
The system examines the traffic to the web application making suggestions for more specifically building the security policy. The Policy Builder selectively learns new entities like file types, parameters, and cookies used in requests to the application. When ASM processes sufficient traffic, it automatically adds the entities to the security policy, and enforces them.
The system applies a basic set of attack signatures to the security policy and puts them in staging (by default, for 7 days). If you specified server technologies, additional attack signatures are included. ASM reports common attacks discovered by comparison to the signatures but does not block these attacks until the staging period is over and they are enforced. That gives you a chance to be sure that these are actual attacks and not legitimate requests.
The Real Traffic Policy Builder® creates a security policy that can protect applications that use AJAX with JSON or XML for data transfer between the client and the server. The system examines the traffic and creates an appropriate profile. If the application uses XML, the security policy includes one or more XML profiles associated with URLs or parameters. If the application uses JSON, the security policy includes one or more JSON profiles associated with URLs or parameters.
Overview: Adding AJAX blocking and login response behavior
- Microsoft® ASP.NET
By default, if you enable AJAX blocking behavior, when an AJAX request results in a violation that is set to Block, Application Security Manager performs the default AJAX response page action. The system presents a login response if the application user sends an AJAX request that attempts to directly access a URL that should only be accessed after logging in.
Configuring the blocking response for AJAX applications
- On the Main tab, click .
- In the Current edited security policy list near the top of the screen, verify that the security policy shown is the one you want to work on.
- Click the AJAX Response Page tab.
injection)? check box.
The system displays the default blocking response and login response actions for AJAX.
For the Default Response Page action setting, select the
type of response you want the application user to receive when they are blocked
from the application:
- Custom Response lets you specify HTML text or upload a file to use as a replacement for the frame or browser page that generated the AJAX request. Include the text, then click Show to preview the response.
- Popup message displays text in a popup window (default text is included).
- Redirect URL redirects the user to the URL you specify. You can also include the support ID. For example: http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>.
- For the Login Page Response action, select the type of response (types are the same as for default response page in Step 5).
- Click Save.
- To put the security policy changes into effect immediately, click Apply Policy.