Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0
Opened: Jul 06, 2015 Severity: 3-Major
When a response arrives without a content-type header and a login page has a search in response text criteria, the system does not detect failed logins. When brute force or session tracking is configured with this login page, it causes the system not to detect the brute force attack or track the session.
Brute force attacks are not detected, other login features may fail.
Login criteria includes string searches on the full response. Response arrives without content type.
Add a "content-type: text/html" header to the responses using an iRule. The content type should be textual (for example, "text/X" where X can be anything) or a list of "application/X" where X is one of the following: xml, html, xhml, json, soap+xml, x-javascript.
We fixed a possible failing scenario of the response-side features.