Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3
Fixed In:
14.0.0, 13.1.1.4
Opened: Jan 13, 2018 Severity: 3-Major
TCP RST being sent when a browser requests a fictive URL that starts with either of the following strings: -- /TSPD/xxx...xxx?type=x -- /TSbd/xxx...xxx?type=x.
CSRF/Web Scraping/Single Page Application/AJAX Blocking page features might not work. This happens intermittently when the back-end server's HTML page (the one where the fictive URL is injected) is cached in the browser for more than two days.
This occurs in either of the following scenarios: -- ASM policy is attached to a virtual server, and any of the following is enabled: Cross-Site Request Forgery (CSRF), Web Scraping/Single Page Application/AJAX Blocking internal. -- DoS profile with Single Page Application enabled is attached to a virtual server.
Use an iRule to disable caching for HTML pages where a fictive URL is injected.
The system now includes a new ASM Internal Parameter 'disable_cache_upon_injection', disabled by default. When it is enabled, ASM disables cached headers to HTML responses where a fictive URL is injected.