Bug ID 846493: ASM CAPTCHA is not working the first time when a request contains sensitive parameters

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.1,,,,, 13.1.3,,,

Fixed In:

Opened: Nov 06, 2019

Severity: 3-Major


ASM end users are required to type CAPTCHA letters twice to get the login request to be forwarded to the server. In addition, the original login request is not sent to the server, which results in failed logins.


False-positive bad logins.


-- ASM provisioned. -- ASM policy attached to a virtual server. -- Brute force enabled in the ASM policy. -- Brute force issues CAPTCHA mitigation.


Remove sensitive parameters from asm policy. Impact of workaround: This results in sensitive parameters being revealed in the ASM event logs.

Fix Information

CAPTCHA mechanism now works correctly along with sensitive parameters.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips