For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

saidshow's avatar
saidshow
Icon for Cirrus rankCirrus
Apr 28, 2020

No CAPTCHA - URL is not yet qualified for challenge injection

Hi,   I am setting up Brute Force protection in ASM and have noted that I can get this drop traffic and alert, but when attempting to show the CAPTCHA, I only get the blocking page we have config...
ASM Advanced WAF
Brute
captcha
injection
javascript
security
saidshow's avatar
saidshow
Icon for Cirrus rankCirrus
May 05, 2020

Hi  , I am using BIG-IP v13. The only control I have in place on the Brute Force Protection page is IP - 5 fails in 15 mins. When I breach this rule, I get the ASM block page despite having the control set to "Alarm and CAPTCHA". I have logged in through this control legitimately a number of times as have QA. I have retested the control and still get the block page. If I set to "Alarm" instead of "Alarm and CAPTCHA" I simply generate the log with no log - that looks correct. From what I can tell I need this page to qualify for challenge injection somehow. For the moment, I will try to login a few more times legitimately and see if that looks any better. Thanks for the response.