Bug ID 742852: Bot Defense protection blocks Safari browser requests while using cross site redirect protection by 'Location' header

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1

Fixed In:
15.0.0, 14.1.0.2

Opened: Sep 05, 2018

Severity: 3-Major

Symptoms

Bot defense blocks a request containing a TSPD101 cookie in query string. TSPD101 is sent when using the Safari browser, and cross-site redirect protection is applied on a request.

Impact

Cross-site requests are blocked during the grace period configured on the bot defense profile.

Conditions

- ASM provisioned. - Bot Defense profile attached to a virtual server. - Cross-site redirection is applied on a request. - Using the Safari browser.

Workaround

Disable browser verification in the bot defense profile.

Fix Information

Cross-site redirect protection now works as expected when cookie is sent via query string.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips