Last Modified: Sep 13, 2023
17.0.0, 18.104.22.168, 22.214.171.124, 126.96.36.199, 13.1.5
Opened: Jun 08, 2021 Severity: 3-Major
Send traffic with multiple Authorization headers in the request after configuring the brute force. The traffic will not be blocked, when it is supposed to be.
Brute force is possible with specially crafted requests having multiple Authorization headers and will be able to bypass brute force checks.
When there is more than one Authorization header present in the requests.
Enable "Illegal repeated header violation" and configure Authorization header repeated occurrence to disallow.
ASM detects the brute force attempt with multiple Authorization headers in the request.