Bug ID 722862: ASM CAPTCHA sends non url-encoded payload when captcha is submitted by pressing 'Enter'

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,, 15.0.0, 15.0.1,,,,

Opened: Jun 03, 2018
Severity: 3-Major


When an APM end-user gets the ASM CAPTCHA page, types the correct CAPTCHA letters and presses the 'Enter' key, rather than clicking the Submit button. The CAPTCHA letters are sent to the BIG-IP system along with other request parameters, these additional parameters are forwarded to the backend server incorrectly as non-url-encoded, they should be url-encoded.


Application receives unexpected content, which might cause the backend server's application business logic to not work as expected.


This occurs when the following conditions are met: -- ASM provisioned. -- DoS application or ASM policy attached to a virtual server. -- DoS application or ASM policy has CAPTCHA enabled. -- User submits the CAPTCHA form using the 'Enter' key.


Disable CAPTCHA within the DoS application or ASM policy.

Fix Information


Behavior Change