Bug ID 686108: User gets blocking page instead of captcha during brute force attack

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1

Fixed In:
14.0.0, 13.1.0.2

Opened: Sep 28, 2017

Severity: 2-Critical

Symptoms

Unexpected blocking page while captcha is configured.

Impact

Unexpected blocking page mitigation where captcha mitigation was expected.

Conditions

-- Brute force configured with alarm and captcha mitigation. -- The only source configured is username. -- These are the first failed login requests after a system start up or after a login page configuration change.

Workaround

There are two workarounds: -- Access the login page at least 10 times within 5 minutes. -- Run the following command: tmsh modify sys db asm.cs_qualified_urls value <YOUR_LOGIN_URL>

Fix Information

Fixed an issue with unexpected blocking page while captcha is configured.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips