Hello,

What version of BIG-IP do you use and what type of login page do you configure in policy for BF?

In general, URL must become qualified for challenge injection after about 10 valid request to it.

Also, make sure that brute force prevention with CPATCHA doesn't overlapping some other criteria - if you configure several BF preventions, then it is possible that block happens by some other criteria, which becomes valid before CAPTCHA

Thanks, Ivan

Hi  , I am using BIG-IP v13. The only control I have in place on the Brute Force Protection page is IP - 5 fails in 15 mins. When I breach this rule, I get the ASM block page despite having the control set to "Alarm and CAPTCHA". I have logged in through this control legitimately a number of times as have QA. I have retested the control and still get the block page. If I set to "Alarm" instead of "Alarm and CAPTCHA" I simply generate the log with no log - that looks correct. From what I can tell I need this page to qualify for challenge injection somehow. For the moment, I will try to login a few more times legitimately and see if that looks any better. Thanks for the response.

Does your /LoginHere.aspx contain HTML tag in response?

It must include HTML tag to be qualified. If this is so, then you need to send 10 requests to /LoginHere.aspx (no need to login), after that URL should be qualified for challenge injections.

Thanks, Ivan

I tried to bypass sanitize_data() since I know that it’s the only way to inject at invoiceid knowing that sanitize_data() was removing SQL queries I had to be more creative so I chained multiple keywords together MCDVOICE

Before brute force mitigation will be applied, ASM must see at least 10 responses in 5 minutes from the back-end application with a Content-Type header of text/html and a response code of 200. If you run this TMSH command you should see the list of all Qualified URLS: <tmsh list sys db dosl7.cs_qualified_urls>