Mitigating “Sentry MBA” - Credentials Stuffing Threat

“Credentials stuffing” attack technique became a very popular way nowadays to brute force user accounts over web applications’ login pages. Instead of trying to guess a certain user password from a g...
Published Jan 17, 2017
Version 1.0
ASM Advanced WAF
brute force
checker
combo
credentials stuffing
security
sentry mba
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Oct 16, 2017

Where this fails miserably is on mobile apps and AJAX/JSON API requests as these do not support JavaScript and as a result ASM simply blindly blocks all traffic. CAPTCHA is also not working here as CAPTCHA image response do not work with JSON/API responses. Further work is needed by the ASM Product Development team to introduce more programmability of ASM features such as Brute Force protection and CAPTCHA in iRules