Bug ID 846493: ASM CAPTCHA is not working the first time when a request contains sensitive parameters

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,

Fixed In:

Opened: Nov 06, 2019
Severity: 3-Major


ASM end users are required to type CAPTCHA letters twice to get the login request to be forwarded to the server. In addition, the original login request is not sent to the server, which results in failed logins.


False-positive bad logins.


-- ASM provisioned. -- ASM policy attached to a virtual server. -- Brute force enabled in the ASM policy. -- Brute force issues CAPTCHA mitigation.


Remove sensitive parameters from asm policy. Impact of workaround: This results in sensitive parameters being revealed in the ASM event logs.

Fix Information

CAPTCHA mechanism now works correctly along with sensitive parameters.

Behavior Change