Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.3
Opened: Mar 02, 2017 Severity: 3-Major Related Article:
K23432927
The JavaScript challenge is repeating in a loop on URLs which have path parameters (when the URL contains the ';' character). The request never reaches the back-end server. This happens in the following challenges: * Proactive Bot Defense with Suspicious Browsers enabled * Client-Side Integrity Defense In the rest of the challenges, the challenges will succeed, but POST requests will not be reconstructed correctly and sent as a multipart message to the back-end server.
Requests with ';' character will be blocked and the browser will repeat the challenge in a loop.
URLs contain the ';' character, AND: Either: * Proactive Bot Defense with Suspicious Browsers enabled, OR * Client-Side Integrity Defense is enabled and is used as a DoSL7 mitigation during an attack.
None
The JavaScript challenge no longer gets stuck in a loop on URLs which have path parameters.