Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Hugo_Frauches_3's avatar
Hugo_Frauches_3
Icon for Nimbostratus rankNimbostratus
6 years ago

ASM Login Page protection for Basic Authentication without failed string

Hello,

Its possible to create and configure an ASM Login Page for Brute Force protection to a system that uses APM Basic Auth (401) and does not send any String for failed/wrong username? According the F5 Documentation on how to create a Login page, its needs to configure a failed string:

A string that should NOT appear in the responseA string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, Authentication failed.

Ref: https://techdocs.f5.com/en-us/bigip-14-1-0/big-ip-asm-implementations-14-1-0/creating-login-pages-for-secure-application-access.html

So my question is, its possible to configure APM to send 401 with an failed string, so it can be detected by ASM on Brute Force Login Mitigation?

**For the ASM protection on APM VS, im using the layered Virtual Server configuration.

1 Reply

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    6 years ago

    Hugo Frauches,

     

    What about adding a positive string for when the user successfully logs in? Does APM send back a specific string, http response code etc. when a successful logon happens? You can add this. If the ASM doesn't see this then it will conclude it's a failed login.

     

    HTH,

     

    N