F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Brute Force protection for single parameter like OTP

Brute Force Protection for single parameter This can be achieved with the help of ASM Data Guard & Session tracking 1. Log all request & response to record valid OTP request & invalid OTP request/...
Published Jul 19, 2022
Version 1.0
security
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Oct 08, 2022

An awsome article that has so many use cases ! One of them for me is the PIN guessing bank attack as in this the PIN is usually in a single parameter.

The attacker tries to create a co-browsing connection with the agent. To do this, the attacker hopes to guess the PIN that the collaboration server uses to verify the connection between the visitor and the agent. By default, this is a six-digit number. If the attacker types the PIN before the visitor does, the collaboration server will create the co-browsing connection between the attacker and the agent.

There are a number of ways the attacker might learn the PIN:

  • By guessing, that is, by repeatedly connecting to the collaboration server using different PINs, until a number used by the attacker matches one used by the collaboration server.

  • By intercepting the PIN when it’s transmitted via telephone. This can be done in various ways, for example by hacking a phone or by listening in on the conversation.

  • By intercepting the PIN when it’s transmitted over the network after the visitor has entered it.