Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

AWAF Brute Force protection not working for HTML Web application

Abouja
Nimbostratus
Nimbostratus

‎24-Sep-2022 14:53

Hi Team,

I have configured login page and Brute force protection for my web application but it is not working:

The content-type of the request is Content-Type: application/x-www-form-urlencoded
below is the configuration of Login page with HTML form authentication type:

Abouja_0-1664055854975.png

this is the inspection result of the login page:

Abouja_1-1664056043675.png

Abouja_2-1664056072960.png

We need your support please.

 

Thanks,

Ahmed

 

Labels:
0 Kudos
1 REPLY 1

Mohamed_Salah_
MVP
MVP

‎25-Sep-2022 09:28

Hello Ahmed,

Please make sure that the brute force settings in the learning and blocking settings is enabled, (blocked).

and modify the brute force profile and select the login page created in the ASM policy inside the brute force protection. if you have finished these steps, you can start changing the login condition:

  • for example try expected status code "302" as the response was 302.
  • or unexpected status code, for example "200"
  • Or unexpected string in the response and check for a string that shows when you login with wrong credntials, for example "login failed".

All of these results (expected and unexpected) can be found in the developer tool inside the response and headers tab.

 

Copyright © 2023 Khoros, LLC