Forum Discussion

garrett's avatar
garrett
Icon for Nimbostratus rankNimbostratus
Oct 06, 2021

Bot protection "Browser Verification" results/experience

I am just wondering what everyones user experience has been with "Browser Verification" when enabling anything other than then the defaults via any Bot Protection profile.

 

For instance if I have Browser Verification set to anything other then "Challenge Free Verification" in our Sharepoint environments, "funky" things will happen such as users getting bot error/reference ID page when attempting to sign out or or an EXTREME amount of false positives occur and user traffic is impacted.

 

In environments with older Java based apps, it will cause some browsers to automatically sign out when clicking any link in the web application after login (as if cookie persistence is blocked).

 

I have gone back and forth with F5 in almost all my attempts to enable this future (as browser fingerprinting is something we really would like to utilize) but we just cant get it working in most cases (even with work arounds such as single page application or enable a DOS profile in transparent mode).

 

Is something like Device ID+ the solution for all of my problems? https://www.f5.com/products/security/shape-security/f5-device-idplus

  •  

    On my experience for an E-commerce website :

    The problem with the strict parameter 'verify before access' was about the marketing (SEO) : the website was loaded twice and i had a problem to access straight to a jpg or png image if i didn't accessed to the website before. I changed this morning this parameter to this one : "verify after access".

    But two anomalies appeared : High number of HTML transactions since JavaScript verification

    Browser Masquerading (Malicious Bot). ==> I tryed to put this one with the "Alarm" action ==> Request still blocked.

    Browser verification timed out

    So i put it off and i ll open a ticket 😄

    Have a great one !

    • hab's avatar
      hab
      Icon for Nimbostratus rankNimbostratus

      Hi my friend - did you by any chance find solution for the following:

       

      But two anomalies appeared : High number of HTML transactions since JavaScript verification

      Browser Masquerading (Malicious Bot).

       

       

      I am facing the same issue. Any help will be appreciated.

  • Hello,

    The presence of the “X-Requested-With: XMLHttpRequest” header indicates that the request is sent by an AJAX call which explains this malfunction. Indeed, javascript originally of this call is not capable of responding to the challenge sent by the F5 gateway. 

     

    The only way was to change the LTM policy configured : FOR AJAX CALLS

    If http header named X-Requested-With exists at request then enable asm and disable botdefense.

    FOR API RESTful or SOAP : 

    IF http header full string named Content-Type contains any of json /XML at request

    enable asm and disable botdefense at request time.

     

    Nevertheless, this exception can open access to scrappers... So i still didn't do it.

    Have a great day,