For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Alex_Nimo_26616's avatar
Alex_Nimo_26616
Icon for Altocumulus rankAltocumulus
Nov 03, 2018

ASM JSON login page

Hi,   Trying to configure a JSON login page in ASM. The page first asks for the username and only then for the password.   1) When configuring JSON login in ASM, you must supply both the parame...
ASM Advanced WAF
brute force
JSON
login page
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Nov 04, 2018

You have a very strange application to protect.

 

So you are saying that application has Page 1 where user enters username only and clicks login button - this generate a JSON request which contains only one parameter: "username" to the server after which the user is navigating to Page where only the Password is required and then again a JSON request is sent next to the server with only one parameter "password"???

 

How is the session state maintained between Page 1 and Page 2? there must be something ( a cookie, a token a header) sent back by the server in response to Page 1 request which would help the server to link the JSON data blurb with just username with bare Page 2 with just password.

 

You can try defining 2 x AJAX page URLs with username & password being the same parameter name (you can't leave the password field blank).

 

Can you provide examples of full HTTP requests and responses? (Page 1 request/response and Page 2 request/response) for a successful (and unsuccessful) login?