Bug ID 638857: Challenging AJAX-qualified requests cover only GET and POST HTTP methods

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3

Fixed In:
13.1.0, 13.0.1

Opened: Jan 12, 2017
Severity: 4-Minor

Symptoms

When the Single Page Application flag enabled within DoS Application profile, and there is an AJAX request being sent using an HTTP method that is not a GET or POST (e.g., PATCH, PUT, DELETE), the Proactive Bot Defense does not display CAPTCHA pop-up.

Impact

CAPTCHA or challenge does not work.

Conditions

-- ASM provisioned. -- DoS Application profile assigned to a virtual server. -- Proactive Bot Defense enabled. -- Single Page Application flag enabled within DoS Application profile. -- HTTP method is not GET or POST.

Workaround

Disable Proactive Bot Defense, Single Page Application.

Fix Information

Single Page Application (SpearHead) AJAX hook has been updated to support non-GET/POST HTTP methods.

Behavior Change