Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

ColinConrad's avatar
ColinConrad
Icon for Nimbostratus rankNimbostratus
Feb 26, 2020

Case insensitivity in ASM Brute Force username and/or password elements

I have a login page I'm attempting to enable brute force protection for (JSON/AJAX auth type), and it supports username and password JSON elements that are case insensitive from our application's per...
ASM Advanced WAF
security
guly's avatar
guly
Icon for Nimbostratus rankNimbostratus
Mar 23, 2021

Hi guys, I'm facing the same issue as you do. Did you get any response from support? This is really unexpected behaviour, when the whole policy is case insensitive.

 

Thanks.

ColinConrad's avatar
ColinConrad
Icon for Nimbostratus rankNimbostratus
Mar 23, 2021

I never got a response on this question. What I ended up doing was working with our application teams to ensure that our client code would always send the usernames/passwords with a given case, and then I implemented a Brute Force policy for that known-good scenario, and wrote an iRule to deny any requests that do not conform to this casing, knowing that they would all be illegitimate. I'm sure there are other ways of solving this, but I'm still not sure about the "best approach". Another way I considered was having a dedicated ASM policy just for Brute Force where the whole policy defined as case insensitive, and using a Local Traffic Policy that looked for our application's login URIs and using this dedicated policy in that scenario. I hope these ideas help.