Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2
Fixed In:
13.0.0, 12.1.3
Opened: Nov 28, 2016 Severity: 3-Major
The JavaScript challenge that is sent to a POST request within an iframe will have a follow-up request of GET when coming from Microsoft Internet Explorer or Edge browser. The request reconstruction is incorrect, and the back-end server does not receive the request payload. This is relevant to all types JavaScript challenges: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.
POST requests will be sent as GET and the request payload will not reach the back-end server.
JavaScript challenge is used in a POST request, when one of the following features in enabled: Proactive Bot Defense, DoSL7 Client-Side Integrity Defense, Device-ID Challenge, or CAPTCHA Challenge.
None.
JavaScript challenges to POST requests are sent correctly to the back-end server when coming from iframe in Microsoft Internet Explorer/Edge browsers.