Forum Discussion

Portallion_1480's avatar
Portallion_1480
Icon for Nimbostratus rankNimbostratus
Sep 11, 2017

Issue Getting JSON Response Page to Present on ASM Block

Running 12.1.2 HF1 - ASM is configured to present a block response page when illegal requests are detected for a web application. I verified in the logs that illegal requests are being detected and dropped, the response page doesn't display. The form triggering this illegal request uses a javascript API (similar to toastr )which expects a response in JSON and but when the block page is returned in HTML nothing is displayed.

When configuring the response page in JSON format still nothing get displayed. The application seems to be sending the data of an error and we need to somehow intercept this and manipulate it. As of now when the response is given it just returns a blank window with no text.

As another workaround, we were thinking of leveraging a URL redirect to direct users to a custom block page, but this framework requires jquery/.NET which is not used by the web application.

I have searched devcentral about this issue and pieced together a few attempts, the syntax gets accepted but still doesn't display the blocked page

when HTTP_REQUEST {
set json_content 0
      if { [HTTP::header "Content-Type"] contains "json" }  { 
        set json_content 1
    }
    }

when ASM_REQUEST_BLOCKING
 {
 if { $json_content } {
if { [ASM::status] contains "block" } {
            ASM::unblock
      HTTP::header remove Content-Length
      HTTP::header insert header_1 value_1

      set response "{ \"glossary\": { \"title\": \"example glossary\", \"GlossDiv\": { \"title\": \"S\", \"GlossList\": { \"GlossEntry\": { \"ID\": \"SGML\", \"SortAs\": \"SGML\", \"GlossTerm\": \"Standard Generalized Markup Language\", \"Acronym\": \"SGML\", \"Abbrev\": \"ISO 8879:1986\", \"GlossDef\": { \"para\": \"The requested operation was rejected. Please consult with your administrator. Your support ID is: <%TS.request.ID()%>\", \"GlossSeeAlso\": \[\"GML\", \"XML\"\] }, \"GlossSee\": \"markup\" } } } } }"

      ASM::payload replace 0 [ASM::payload length] ""
      ASM::payload replace 0 0 $response
            }
}
}

**also tried** 

when ASM_REQUEST_BLOCKING
 {
 set ASM_block 0
 if { [ASM::status] contains "block" } {
 set ASM_block 1

            }
            }

when HTTP_RESPONSE {
if { $ASM_block } {
HTTP::respond 200 content { 
The requested operation was rejected. Please consult with your administrator. Your support ID is: <%TS.request.ID()%>
    } Cache-Control No-Cache Pragma No-Cache 
  } 
}

8 Replies

  • Given that the client-side javascript is expecting a JSON response, you need to configure ASM to provide a suitable JSON response that indicates an error in the form submission that caused blocking.

     

    Your client-side javascript then needs to be responsible for providing a suitable message to the user that the illegal request was blocked.

     

    There may be an existing JSON error response in the framework that you can use, or the framework may need to be modified to include a new error state. You cannot just try to insert HTML into the framework flow - the browser itself probably never sees it, just the javascript framework.

     

  • Hi,

     

    when enabling the irule, did you enable Trigger ASM iRule Events setting in Application security?

     

  • Hi  

    I had same your error !

    At this time, Do you know solution for issue?

     

    Thanks

    Hung Hoang

    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee

      Again - if your application is using Ajax and JSON, you need to look at the framework itself to find out what options you have for inserting ASM response reporting into the application flow.

      I would have a discussion with the application developer to see how ASM can report errors back to the client in a user friendly way.

      • Hoang_Hung's avatar
        Hoang_Hung
        Icon for Cirrus rankCirrus

        Hi  

        Did you not still search solution for issue!

        I had used your irule previous message. But it cant still display blocking request to my customer !

    • Ivan_Chernenkii's avatar
      Ivan_Chernenkii
      Icon for Employee rankEmployee

      Hello Hoang,

       

      Do you see this issue for AJAX requests?

      If YES, then to correctly block AJAX requests you need to enable "AJAX Blocking Behavior (JavaScript Injection)" in your policy.

       

      Thanks, Ivan

      • Hoang_Hung's avatar
        Hoang_Hung
        Icon for Cirrus rankCirrus

        Hi  

        Thanks you for response

        when we enbled AJAX response policy after we sent block page

        But when enable AJAX, Captcha can't reload. So we need disable AJAX.

        Do you know why it had error ?.

        Befor we have enable CSRF ( CSRF will javaScript Injection) >> same error when we enable AJAX.

        Thanks

        Hung Hoang