I want to write an irule which handles both xml and html requests. Whenever an attack signature is triggered, iRule should respond with html response for html requests and XML response for XML requests along with the support id. Please note that I am not using the option provided for XML page in the ASM because for that, XML page needs to be mapped to the XML profile, and here which page would be XML is unknown. The only reliability is on the content-type header.
You don't really need an iRule for that! XML Profile and XML Response Page can be mapped to content-type header very easily - using Header-based content profile on a wildcard URL (if you don't know the exact URL) - it can be even the * wildcard URL. Simply create an XML profile (make sure you enable the XML Blocking response page there) and on the URL you need (again can be '*' default URL wildcard) map the Request Header Name: content-type with Request Header Value: application/xml and set the request body handling to XML, select your XML profile and hit the Add button - that's it! Please see an example configuration on a screenshot below:
So now any blocked requests from a browser will have a standard HTML Blocking Response Page and any requests with application/xml content type will go through the XML profile and the XML Blocking Response Page will be returned if blocking violation occurs.
I hope this helps,
Thanks for the response.
I tried the way you are telling, however, I am not getting the intended results.
Following is what I have done:
1. Applied the content profiles on the url /gateway/* . You can see three profiles here. For xml profile, I have selected the option "Use XML blocking response page".
Following shows the xml profile on the url
Now, when sending the request through burp, with an XSS payload, the response is still html response page, which is default response page.
Not sure what I am missing.
The mistake you are making is that you are placing the XSS attack payload in URL this means the attack is happening in HTTP HEADER
- in this case ASM default profile will handle it as the attack is not inside XML payload and is not reaching XML profile.
In your example if you want to test it properly change the GET request to POST and and place the XSS attack inside the body, eg.
then you will see the XML blocking page response.
Thanks. This handles the xml part. Similarly, default response page could be made as json as the application is using json in most of the requests.
However, I still need to have an html default page for few of the requests which use html content-type. Is it possible to do from the response page? Or iRule would be required here?
in the configuration you already have (based on the screenshot) the default handling of requests in ASM will simply take over all other requests (other than xml and json) so you are good to go with this configuration. There is no need for any iRule in this case - ASM will handle different type of traffic for you. All XML requests will go via the XML profile (provided there is actually an XML payload), all JSON requests will go via the JSON profile and everything else will go via the default profile and default HTML blocking response page.
Hope this helps,