Forum Discussion
hooleylist
Jan 04, 2011Cirrostratus
Hey Sam,
The downside to using an HTTP class with filters to selectively disable ASM is that TMM doesn't do any URL normalization. So if an attacker knew you were bypassing ASM for /path/to/blocking.page*, they could use a URI like /path/to/blocking.page/../../../attack.exe to get to /attack.exe without going through ASM.
That's why I really like Arthur's idea of sending an HTTP response from an iRule in the ASM_REQUEST_VIOLATION event when the URI is the blocking page. It's lighter weight than the sanitization iRule for 9.x ASM and still provides good security.
Aaron