Case insensitivity in ASM Brute Force username and/or password elements

I never got a response on this question. What I ended up doing was working with our application teams to ensure that our client code would always send the usernames/passwords with a given case, and then I implemented a Brute Force policy for that known-good scenario, and wrote an iRule to deny any requests that do not conform to this casing, knowing that they would all be illegitimate. I'm sure there are other ways of solving this, but I'm still not sure about the "best approach". Another way I considered was having a dedicated ASM policy just for Brute Force where the whole policy defined as case insensitive, and using a Local Traffic Policy that looked for our application's login URIs and using this dedicated policy in that scenario. I hope these ideas help.

Hi Colin, thank you for some ideas how you handled the situation. Problem with your second approach is, that even if the whole security policy is case insensitive, that parameters configured on JSON/AJAX login page are handled as case sensitive. This inconsistency drives me crazy, as there isn't any reasonable solution for this. I am thinking about contacting support to ask them if this is a bug or a feature :) Our application accepts any case for parameter names (eg. pArAmEtEr), but Login page in case insensitive policy expects exact single case format (parameter, or Parameter, whatever I configure there). Thus it is pretty straightforward how to bypass whole bruteforce protection, just by changing the case of parameter name.