Forum Discussion

SerhiiR's avatar
SerhiiR
Icon for Nimbostratus rankNimbostratus
Mar 15, 2023

ASM Brute Force Protection feature inserts the script to response headers. How it may be removed?

Hello,

We have faced with a problem, when Brure Force Protection feature inserts the script to response header. I have pasted the script below. The fact is that script is inserted for each application resource URL and break some of its functions. From the configuration of Brute Force Protection, we have only one login page with Username and IP Addres protection and Alarm and CAPTCHA mitigation. Additionaly we have Distributed Brute Force Protection being configured. for Alarm and CAPTCHA mitigation. No Client Side Integrity Bypass Mitigation and CAPTCHA Bypass Mitigation.

Any ideas how to switch of the script insert and move on with simple User login attempts tracking only?

-----the script-----

<script type="text/javascript">
(function(){
window.PXtt=!!window.PXtt;try{(function(){(function(){})();var b=81;try{var ba,da,ma=c(71)?0:1;for(var pa=(c(608),0);pa<da;++pa)ma+=(c(854),3);ba=ma;window.Pa===ba&&(window.Pa=++ba)}catch(a){window.Pa=ba}var e=!0;function f(a,d){a+=d;return a.toString(36)}function sa(a){var d=42;a&&(document[p(d,160,147,157,147,140,147,150,147,158,163,125,158,139,158,143)]&&document[p(d,160,147,157,147,140,147,150,147,158,163,125,158,139,158,143)]!==f(68616527624,d)||(e=!1));return e}
function p(a){var d=arguments.length,g=[];for(var h=1;h<d;++h)g.push(arguments[h]-a);return String.fromCharCode.apply(String,g)}function va(){}sa(window[va[f(1086773,b)]]===va);sa(typeof ie9rgb4!==p(b,183,198,191,180,197,186,192,191));sa(RegExp("\x3c")[f(1372124,b)](function(){return"\x3c"})&!RegExp(f(42808,b))[f(1372124,b)](function(){return"'x3'+'d';"}));
var wa=window[t(b,178,197,197,178,180,185,150,199,182,191,197)]||RegExp(t(b,190,192,179,186,205,178,191,181,195,192,186,181),f(-63,b))[t(b,197,182,196,197)](window["\x6e\x61vi\x67a\x74\x6f\x72"]["\x75\x73e\x72A\x67\x65\x6et"]),xa=+new Date+(c(66)?883940:6E5),ya,Aa,Ca,Da=window[p(b,196,182,197,165,186,190,182,192,198,197)],Ga=wa?c(280)?41740:3E4:c(40)?5090:6E3;
document[p(b,178,181,181,150,199,182,191,197,157,186,196,197,182,191,182,195)]&&document[p(b,178,181,181,150,199,182,191,197,157,186,196,197,182,191,182,195)](p(b,199,186,196,186,179,186,189,186,197,202,180,185,178,191,184,182),function(a){var d=53;document[t(d,171,158,168,158,151,158,161,158,169,174,136,169,150,169,154)]&&(document[t(d,171,158,168,158,151,158,161,158,169,174,136,169,150,169,154)]===f(1058781930,d)&&a[p(d,158,168,137,167,170,168,169,154,153)]?Ca=!0:document[t(d,171,158,168,158,151,
158,161,158,169,174,136,169,150,169,154)]===f(68616527613,d)&&(ya=+new Date,Ca=!1,z()))});function z(){if(!document[t(86,199,203,187,200,207,169,187,194,187,185,202,197,200)])return!0;var a=+new Date;if(a>xa&&(c(971)?357226:6E5)>a-ya)return sa(!1);var d=sa(Aa&&!Ca&&ya+Ga<a);ya=a;Aa||(Aa=!0,Da(function(){Aa=!1},c(151)?0:1));return d}z();var Ia=[c(518)?10764609:17795081,c(13)?27611931586:2147483647,c(291)?1738068546:1558153217];
function t(a){var d=arguments.length,g=[];for(var h=1;h<d;h++)g[h-1]=arguments[h]-a;return String.fromCharCode.apply(String,g)}function Ja(a){var d=75;a=typeof a===f(1743045601,d)?a:a[t(d,191,186,158,191,189,180,185,178)](c(919)?20:36);var g=window[a];if(!g||!g[t(d,191,186,158,191,189,180,185,178)])return;var h=""+g;window[a]=function(k,l){Aa=!1;return g(k,l)};window[a][p(d,191,186,158,191,189,180,185,178)]=function(){return h}}for(var Ka=(c(361),0);Ka<Ia[f(1294399124,b)];++Ka)Ja(Ia[Ka]);
sa(!1!==window[t(b,161,169,197,197)]);window.Ea=window.Ea||{};window.Ea.Tb="0872e5a9b7194000fb04471cd1841afc6bba0c62c7db56573b9c11b63d25ddd1c1a44f037a57d1166fd77c497d0714ca9ba53a24cbbac8c76c2c3d741c020071564ba89bfedd964f";function B(a){var d=+new Date;if(!document[t(20,133,137,121,134,141,103,121,128,121,119,136,131,134,85,128,128)]||d>xa&&(c(136)?480406:6E5)>d-ya)var g=sa(!1);else g=sa(Aa&&!Ca&&ya+Ga<d),ya=d,Aa||(Aa=!0,Da(function(){Aa=!1},c(580)?0:1));return!(arguments[a]^g)}function c(a){return 33>a}(function La(a){return a?0:La(a)*La(a)})(!0);})();}catch(x){}finally{ie9rgb4=void(0);};function ie9rgb4(a,b){return a>>b>>0};

})();

</script>

3 Replies

  • Hi SerhiiR,

    this looks like Device ID is enabled in your bot defense profile. Can you verify?
    For Login Page protection you can use Device ID, I'd even recommend to use it. But in case it causes an issue with your application, you may either debug why your app has a problem with sideband loading of JS or just switch the Device ID feature off.

    KR
    Daniel 

    • SerhiiR's avatar
      SerhiiR
      Icon for Nimbostratus rankNimbostratus

      Hello Daniel,

      Thank you for the recommendation. But we do not have the bot defense profile at all. From the Brute Force Protection configuration, the device ID is switched to Never Trigger.

      • Other features that might cause JavaScript injection.

        1. Analytics profiles
        2. CSRF protection
        3. DoS protection profile using Client Side Integrity Defense.