When configuring ASM, I need to enable Response Signature to block simple XSS such as window.alert.
Please inform which kind of XSS that can be blocked WITHOUT enabling Response Signature.
I don't believe there are any XSS signatures which apply to responses; they apply only to requests. As for the kind of XSS that can be blocked all we have to go on is the name of the signature since the actual expression cannot be seen.
Your question has many answer because as the case may be applied custom signatures.
Assuming that what we want to prevent is that you can lock a xss you print to a response, such an attack of "xss store".
A quick fix is enabled in "Negative Security Violations" the option
"Data Guard: Information leakage detected."
After the active You enter "Security >> Application Security: Data Guard"
And there you set the following:
Data Guard enabled
and the Most Important Custom Patterns (enabled)
New Pattern: window.alert.
and after save it.
With this method prevenis if you injected the xss run only featured a support id blocking the screen, so it is best to stop it in the request but hey this would be one way to do what you ask.