Manual Chapter : Configuring What Happens if a Request is Blocked

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: Configuring what happens if a request is blocked

The Application Security Manager™ has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. The system also has a login response page for login violations. You can change the way the system responds to blocked logins or blocked requests.

Note: The system issues response pages only when the enforcement mode is set to Blocking.

A security policy can respond to blocked requests in these ways:

  • Default response
  • Custom response
  • Redirect URL
  • SOAP fault
  • Erase Cookies

The system uses default pages in response to a blocked request or blocked login. If the default pages are acceptable, you do not need to change them and they work automatically. However, if you want to customize the response, or include XML or AJAX formatting in the blocking responses, you need to enable the blocking behavior first. You enable XML blocking on the XML profile, AJAX blocking on the AJAX response page, and Cookie Hijacking on the Session Tracking screen.

All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page. Customers can use the support ID to identify the request when making inquiries.

Configuring responses to blocked requests

You can configure the blocking response that the system sends to the user when the security policy blocks a client request.
  1. On the Main tab, click Security > Application Security > Policy > Response Pages .
    The Response Pages screen opens.
  2. In the Current edited security policy list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. On the Default Response Page tab, for the Response Type setting, select one of the following options.
    Option System Response to Blocked Request
    Default Response The system returns the system-supplied response page in HTML. No further configuration is needed.
    Custom Response The system returns a response page with HTML code that you define.
    Redirect URL The system redirects the user to a specified web page.
    SOAP Fault The system returns the system-supplied blocking response page in XML format. You cannot edit the text, but you need to select Use XML Blocking Response Page on the XML profile.
    Erase Cookies

    The system deletes all client side domain cookies. As a result, the system blocks web application users once, and redirects them to the login page. Legitimate users can login and get new cookies. This feature is primarily for session hijacking.

    The settings on the screen change depending on the selection that you make for the Response Type setting.
  4. If you selected the Custom Response option, you can either modify the default text or upload an HTML file.
    To modify the default text:
    1. For the Response Headers setting, type the response header you want the system to send.
    2. For the Response Body setting, type or paste the text you want to send to a client in response to an illegal blocked request. Use standard HTTP syntax.
    3. Click Show to see what the response will look like.
    To upload a file containing the response:
    1. In the Response Body, for the Upload File setting,click Choose File to specify an HTML file that contains the response you want to send to blocked requests.
    2. Click Upload to upload the file into the response body.
  5. If you selected the Redirect URL option, then in the Redirect URL field, type the URL to which the system redirects the user, for example, http://www.myredirectpage.com.
    The URL should be for a page that is not within the web application itself.
    For example, to redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format:
    http://www.myredirectpage.com/block_pg.php?support_id= <%TS.request.ID()%>
    The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.
If the enforcement mode is blocking and a request is blocked, the system displays the selected response page, erases session cookies, or redirects the user to another URL depending on the option you selected. If a request causes multiple violations and results in more than one type of blocking page, only one will appear in this order:
  • AJAX Response Page
  • Cookie Hijacking Response Page
  • XML Response Page
  • Login Response Page
  • Default Response Page

Configuring responses to blocked logins

You can configure the blocking response that the system sends to the user when the security policy blocks a client attempt to log in to the application. This occurs when Application Security Manager™ mitigates brute force login attacks.
  1. On the Main tab, click Security > Application Security > Policy > Response Pages .
    The Response Pages screen opens.
  2. In the Current edited security policy list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. On the Default Response Page tab, for the Response Type setting, select one of the following options.
    Option System Response to Blocked Request
    Default Response The system returns the system-supplied response page in HTML. No further configuration is needed.
    Custom Response The system returns a response page with HTML code that you define.
    Redirect URL The system redirects the user to a specified web page.
    SOAP Fault The system returns the system-supplied blocking response page in XML format. You cannot edit the text, but you need to select Use XML Blocking Response Page on the XML profile.
    Erase Cookies

    The system deletes all client side domain cookies. As a result, the system blocks web application users once, and redirects them to the login page. Legitimate users can login and get new cookies. This feature is primarily for session hijacking.

    The settings on the screen change depending on the selection that you make for the Response Type setting.
  4. If you selected the Custom Response option, you can either modify the default text or upload an HTML file.
    To modify the default text:
    1. For the Response Headers setting, type the response header you want the system to send.
    2. For the Response Body setting, type or paste the text you want to send to a client in response to an illegal blocked request. Use standard HTTP syntax.
    3. Click Show to see what the response will look like.
    To upload a file containing the response:
    1. In the Response Body, for the Upload File setting,click Choose File to specify an HTML file that contains the response you want to send to blocked requests.
    2. Click Upload to upload the file into the response body.
  5. If you selected the Redirect URL option, then in the Redirect URL field, type the URL to which the system redirects the user, for example, http://www.myredirectpage.com.
    The URL should be for a page that is not within the web application itself.
    For example, to redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format:
    http://www.myredirectpage.com/block_pg.php?support_id= <%TS.request.ID()%>
    The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.
If a user violates one of the preconditions when requesting the target URL of a configured login page, the system displays the selected response page or redirect URL depending on the option you selected.

Customizing responses to blocked XML requests

You can configure the blocking response that the system sends to the user when the security policy blocks a client request that contains XML content, which does not comply with the settings of an XML profile in the security policy.
Note: If you want to use the default SOAP response (SOAP Fault), you only need to enable XML blocking on the profile.
  1. On the Main tab, click Security > Application Security > Policy > Response Pages .
    The Response Pages screen opens.
  2. In the Current edited security policy list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click the XML Response Page tab.
  4. For the Response Type setting, select Custom Response.
  5. In the Response Headers field, type the response header you want the system to send.
    Tip: Paste the default response header to use the system response that you can then edit.
  6. In the Response Body field:
    • If you want to specify the content to send the client in response to an illegal blocked request, type the text using XML syntax.
    • To upload a file containing the XML response, specify an XML file and click Upload to upload the file into the response body.
    Click Show to see what the response will look like.
  7. Click Save to save your settings.
  8. Make sure that the XML profile the application is using has blocking enabled:
    1. On the Main tab, click Security > Application Security > Content Profiles > XML Profiles .
    2. Click name of the XML profile used by the application.
    3. Make sure that the Use XML Blocking Response Page check box is selected.
    4. Click Update.
  9. To put the security policy changes into effect immediately, click Apply Policy.

Configuring the blocking response for AJAX applications

Before you can complete this task, you need to have already created a security policy for your web application. The application needs to have been developed using ASP.NET, jQuery, Prototype®, or MooTools to use AJAX blocking behavior.
When the enforcement mode of the security policy is set to blocking and a request triggers a violation (that is set to block), the system displays the AJAX blocking response according to the action set that you define. If a login violation occurs when requesting the login URL, the system sends a login response page, or redirects the user.
  1. On the Main tab, click Security > Application Security > Policy > Response Pages .
  2. In the Current edited security policy list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click the AJAX Response Page tab.
  4. Select the Enable AJAX blocking behavior (JavaScript injection)? check box.
    The system displays the default blocking response and login response actions for AJAX.
  5. For the Default Response Page action setting, select the type of response you want the application user to receive when they are blocked from the application:
    • Custom Response lets you specify HTML text or upload a file to use as a replacement for the frame or browser page that generated the AJAX request. Include the text, then click Show to preview the response.
    • Popup message displays text in a popup window (default text is included).
    • Redirect URL redirects the user to the URL you specify. You can also include the support ID. For example: http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>.
  6. For the Login Page Response action, select the type of response (types are the same as for default response page in Step 5).
  7. Click Save.
  8. To put the security policy changes into effect immediately, click Apply Policy.