Forum Discussion

jmgrange_337011's avatar
jmgrange_337011
Icon for Nimbostratus rankNimbostratus
Oct 10, 2017

ASM Removing Login Body

We are working on configuring ASM for deployment in our environment. Currently we are only testing it in our Alpha environment. In testing we have found a curious problem and are hoping to shed some light on it. In our Alpha environment we do manual as well as automated testing. The automated testing is done using Selenium.

 

With the WAF on and in transparent mode during the login process the WAF appears to be removing the HTTP body from the login response/confirmation after the username and password have been sent. The issue only happens with the WAF on (again in transparent mode) and only on the automated testing. With the WAF off automated testing works just fine and without issue as does manual testing regardless of whether the WAF is on or off.

 

This has been perplexing us for some time now as we can't find any reason for the WAF to remove the the body while leaving the header and only with the automated testing. We have confirmed that Selenium is passing the appropriate javascript tests that the WAF issues regarding verification.

 

application delivery
ASM Advanced WAF
BIG-IP
security

1 Reply

Sort By
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Oct 15, 2017

    ASM policy might inject specific JavaScript into requests/responses which may interfere with JavaScript in your application and break the page rendering. Your description is quite generic, so it is not quite possible to figure out exactly what is going on, it might be as simply as ASM just doing its job and blocking the automated requests and your Selenium scripts are simply seeing the ASM blocking page which has just a simple one-liner of a body "The requested URL was rejected. Please consult with your administrator. Your Support ID is: 1234"

     

    DDoS, Bot detection and Web Scraping features inject custom JavaScript which detects things like mouse movements and keypresses to decide whether it is a human or a bot. As you are complaining about automated testing looks like your Selenium suite is taken by the WAF for what it actually is - a bot.

     

    DOS protection may Block the requests even if the ASM policy is in transparent mode - all depends on your specific configuration.