Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP ASM
Fixed In:
13.1.0
Opened: Jan 26, 2017 Severity: 3-Major
ASM counts failed login attempts per session (browser cookie) and blocks an end user if the number of failed exceeds a predefined threshold (default 5). If an ASM end user makes a successful login before the number of failed attempts reaches the threshold, the counter of failed attempts resets to zero.
An ASM end user allowed to do a number of failed logins higher than threshold. This happens only in when that APM end user sent a successful login before number of failures hits the threshold.
ASM policy attached on the virtual server and brute force session-based feature is configured along with the login page.
None.
Session-based brute force now handles this issue.