Forum Discussion

saidshow's avatar
Icon for Cirrus rankCirrus
Apr 28, 2020

No CAPTCHA - URL is not yet qualified for challenge injection



I am setting up Brute Force protection in ASM and have noted that I can get this drop traffic and alert, but when attempting to show the CAPTCHA, I only get the blocking page we have configured. The help notes that this occurs when the URL is not yet qualified for challenge injection, but the help also provides no details how to correct this.


Can anyone assist? Assuming ASM policy: PolicyX and url: /LoginHere.aspx


Thank you

7 Replies

  • Before brute force mitigation will be applied, ASM must see at least 10 responses in 5 minutes from the back-end application with a Content-Type header of text/html and a response code of 200. If you run this TMSH command you should see the list of all Qualified URLS: <tmsh list sys db dosl7.cs_qualified_urls> 

    • Nikoolayy1's avatar
      Icon for MVP rankMVP

      I needed to qualify urls also for captcha and from my tests the variable works but it is for manually to add urls as dynamicly added qualified urls will not be seen in this variable as they are probably saved in memory.

  • Also curious if there is any official documentation around this?

  • Hello,


    What version of BIG-IP do you use and what type of login page do you configure in policy for BF?

    In general, URL must become qualified for challenge injection after about 10 valid request to it.

    Also, make sure that brute force prevention with CPATCHA doesn't overlapping some other criteria - if you configure several BF preventions, then it is possible that block happens by some other criteria, which becomes valid before CAPTCHA


    Thanks, Ivan

  • Hi  , I am using BIG-IP v13. The only control I have in place on the Brute Force Protection page is IP - 5 fails in 15 mins. When I breach this rule, I get the ASM block page despite having the control set to "Alarm and CAPTCHA". I have logged in through this control legitimately a number of times as have QA. I have retested the control and still get the block page. If I set to "Alarm" instead of "Alarm and CAPTCHA" I simply generate the log with no log - that looks correct. From what I can tell I need this page to qualify for challenge injection somehow. For the moment, I will try to login a few more times legitimately and see if that looks any better. Thanks for the response.

  • Does your /LoginHere.aspx contain HTML tag in response?

    It must include HTML tag to be qualified. If this is so, then you need to send 10 requests to /LoginHere.aspx (no need to login), after that URL should be qualified for challenge injections.

    Thanks, Ivan

  • I tried to bypass sanitize_data() since I know that it’s the only way to inject at invoiceid knowing that sanitize_data() was removing SQL queries I had to be more creative so I chained multiple keywords together MCDVOICE