Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Issue Getting JSON Response Page to Present on ASM Block

Running 12.1.2 HF1 - ASM is configured to present a block response page when illegal requests are detected for a web application. I verified in the logs that illegal requests are being detected and dropped, the response page doesn't display. The form triggering this illegal request uses a javascript API (similar to toastr )which expects a response in JSON and but when the block page is returned in HTML nothing is displayed.

When configuring the response page in JSON format still nothing get displayed. The application seems to be sending the data of an error and we need to somehow intercept this and manipulate it. As of now when the response is given it just returns a blank window with no text.

As another workaround, we were thinking of leveraging a URL redirect to direct users to a custom block page, but this framework requires jquery/.NET which is not used by the web application.

I have searched devcentral about this issue and pieced together a few attempts, the syntax gets accepted but still doesn't display the blocked page

when HTTP_REQUEST {
set json_content 0
      if { [HTTP::header "Content-Type"] contains "json" }  { 
        set json_content 1
    }
    }

when ASM_REQUEST_BLOCKING
 {
 if { $json_content } {
if { [ASM::status] contains "block" } {
            #ASM::unblock
      HTTP::header remove Content-Length
      HTTP::header insert header_1 value_1

      set response "{ \"glossary\": { \"title\": \"example glossary\", \"GlossDiv\": { \"title\": \"S\", \"GlossList\": { \"GlossEntry\": { \"ID\": \"SGML\", \"SortAs\": \"SGML\", \"GlossTerm\": \"Standard Generalized Markup Language\", \"Acronym\": \"SGML\", \"Abbrev\": \"ISO 8879:1986\", \"GlossDef\": { \"para\": \"The requested operation was rejected. Please consult with your administrator. Your support ID is: <%TS.request.ID()%>\", \"GlossSeeAlso\": \[\"GML\", \"XML\"\] }, \"GlossSee\": \"markup\" } } } } }"

      ASM::payload replace 0 [ASM::payload length] ""
      ASM::payload replace 0 0 $response
            }
}
}

**also tried** 

when ASM_REQUEST_BLOCKING
 {
 set ASM_block 0
 if { [ASM::status] contains "block" } {
 set ASM_block 1

            }
            }

when HTTP_RESPONSE {
if { $ASM_block } {
HTTP::respond 200 content { 
The requested operation was rejected. Please consult with your administrator. Your support ID is: <%TS.request.ID()%>
    } Cache-Control No-Cache Pragma No-Cache 
  } 
}
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Given that the client-side javascript is expecting a JSON response, you need to configure ASM to provide a suitable JSON response that indicates an error in the form submission that caused blocking.

Your client-side javascript then needs to be responsible for providing a suitable message to the user that the illegal request was blocked.

There may be an existing JSON error response in the framework that you can use, or the framework may need to be modified to include a new error state. You cannot just try to insert HTML into the framework flow - the browser itself probably never sees it, just the javascript framework.

0
Comments on this Answer
Comment made 11-Sep-2017 by Portallion 29

Thanks for your quick reply.

We attempted to configure the ASM Response page with the following Image Text

I tried to do what was stated on this question https://devcentral.f5.com/questions/using-irules-for-json-response

and also set it according to https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/21.html

From that article it states " The application needs to have been developed using ASP.NET, jQuery, Prototype®, or MooTools to use AJAX blocking behavior." however jquery/.NET is not used by the web application.

Was hoping a iRule might be able to manipulate this somehow. but it sounds like more work would be needed on the app side, as you stated the "client-side javascript then needs to be responsible for providing a suitable message to the user that the illegal request was blocked"

0
Comment made 12-Sep-2017 by S Blakely

Yes - the AJAX blocking page relies on the framework seeing the

status: "error"

element and taking action to display the message in the "Data" block.

Check your AJAX framework to see if it has a similar error-handling condition.

0
Comment made 12-Sep-2017 by Portallion 29

Thanks for the follow up S Blakely. It appears you are correct. I believe the issue at this point is the API that the app is using. It's using toastr js and the browser just never gets the data its expecting from the API.

We were able to get this to work using the response page with the Json response, however going that route on a larger scale requires the developers to do a lot more work so we were seeing if somehow an iRule could take over this but it doesn't seem feasible. If I get any more data on this ill reply with an update.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

when enabling the irule, did you enable Trigger ASM iRule Events setting in Application security?

0
Comments on this Answer
Comment made 12-Sep-2017 by Stanislas Piron 10623

I just tried this irule and I got JSON response page (Trigger ASM iRule Events setting must be enabled in the Application security policy to make it work)

when HTTP_REQUEST {
set json_content 0
      if { [HTTP::header "Content-Type"] contains "json" }  { 
        set json_content 1
    }
}

when ASM_REQUEST_BLOCKING {
 if { $json_content } {
      set response "{ \"glossary\": { \"title\": \"example glossary\", \"GlossDiv\": { \"title\": \"S\", \"GlossList\": { \"GlossEntry\": { \"ID\": \"SGML\", \"SortAs\": \"SGML\", \"GlossTerm\": \"Standard Generalized Markup Language\", \"Acronym\": \"SGML\", \"Abbrev\": \"ISO 8879:1986\", \"GlossDef\": { \"para\": \"The requested operation was rejected. Please consult with your administrator. Your support ID is: <%TS.request.ID()%>\", \"GlossSeeAlso\": \[\"GML\", \"XML\"\] }, \"GlossSee\": \"markup\" } } } } }"
      ASM::payload replace 0 [ASM::payload length] ""
      ASM::payload replace 0 0 $response
            }
}
0
Comment made 12-Sep-2017 by Portallion 29

Thanks for the verification of this Stanislas! Good to know this would work in certain situations. We do have "Trigger ASM iRule Events" checked on the policy.

I also tried the following iRule based on another article

when ASM_REQUEST_BLOCKING
 {
if { [ASM::status] contains "block" } {
set response "\{\"Status\":\"Error\":\"Data\":\"message\":\"The requested URL was rejected. Please consult with your administrator. Your support ID is: <%TS.request.ID()%>\"\}"
HTTP::respond 200 content $response Content-Type "application/json; charset=utf-8"

}
}

That did not work either. I believe the issue at this point is the API that the app is using. It's using toastr js and like S Blakely stated "the client-side JavaScript then needs to be responsible for providing a suitable message to the user that the illegal request was blocked" The manipulation we are trying is all ASM based and the browser just never gets the data.

We were able to get this to work using the response page with the Json response, however going that route on a larger scale requires the developers to do a lot more work so we were seeing if somehow an iRule could take over this but it doesn't seem feasible. If I get any more data on this ill reply with an update.

0