Bug ID 1023993: Brute Force is not blocking requests, even when auth failure happens multiple times

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,, 15.1.0,,,,,, 15.1.1, 15.1.2,, 15.1.3,, 15.1.4,, 15.1.5, 16.1.0, 16.1.1, 16.1.2,

Fixed In:
17.0.0,,,, 13.1.5

Opened: Jun 08, 2021
Severity: 3-Major


Send traffic with multiple Authorization headers in the request after configuring the brute force. The traffic will not be blocked, when it is supposed to be.


Brute force is possible with specially crafted requests having multiple Authorization headers and will be able to bypass brute force checks.


When there is more than one Authorization header present in the requests.


Enable "Illegal repeated header violation" and configure Authorization header repeated occurrence to disallow.

Fix Information

ASM detects the brute force attempt with multiple Authorization headers in the request.

Behavior Change