Forum Discussion
3 Replies
Yes, you can disable ASM for a specific URI by using a LTM policy. For example:
In the LTM policy, add a rule with condition :
HTTP Uri path starts with /something
and with action
disable ASM
- youssef1Cumulonimbus
Hello,
Hope to understand your need!!!
you want something like that:
when HTTP_REQUEST { set method [string tolower [HTTP::method]] set [HTTP::uri] if { $uri starts_with "/blabla"} { switch $method { "get" - "head" { ASM::disable } default { don't do anything... } } } }
- canttalkeatingAltocumulus
I can understand that disabling the Body in HEAD or GET check within the ASM policy would resolve the issue being experienced by the client without having to remove the URI from blocking all together but this request type is not normal behavior and is checked by the ASM policy to ensure nothing malicious is being added to the GET or HEAD request. Only POST should contain Body therefore by disabling this check you are opening yourself up to a vulnerability.
I would like to know peoples opinions on this, particulary their thoughts on why we are seeing Body in GET or HEAD requests i.e. how this is occurring and also how people feel about turning off check for this within the policy and the potential implications of this opening up the application to a possible attack.
Thanks
David