Bug ID 630356: JavaScript challenge follow-up to POST is sent as GET in iframe from IE/Edge

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
13.0.0, 12.1.3

Opened: Nov 28, 2016
Severity: 3-Major

Symptoms

The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload. This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Impact

POST requests will be sent as GET and the request payload will not reach the back-end server.

Conditions

JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.

Workaround

None.

Fix Information

JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.

Behavior Change