Bug ID 701792: JS Injection into cached HTML response causes TCP RST on the fictive URLs

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3

Fixed In:
14.0.0, 13.1.1.4

Opened: Jan 13, 2018
Severity: 3-Major

Symptoms

TCP RST being sent when a browser requests a fictive URL that starts with either of the following strings: -- /TSPD/xxx...xxx?type=x -- /TSbd/xxx...xxx?type=x.

Impact

CSRF/Web Scraping/Single Page Application/AJAX Blocking page features might not work. This happens intermittently when the back-end server's HTML page (the one where the fictive URL is injected) is cached in the browser for more than two days.

Conditions

This occurs in either of the following scenarios: -- ASM policy is attached to a virtual server, and any of the following is enabled: Cross-Site Request Forgery (CSRF), Web Scraping/Single Page Application/AJAX Blocking internal. -- DoS profile with Single Page Application enabled is attached to a virtual server.

Workaround

Use an iRule to disable caching for HTML pages where a fictive URL is injected.

Fix Information

The system now disables cached headers to HTML responses where a fictive URL is injected.

Behavior Change