cancel
Showing results for 
Search instead for 
Did you mean: 

No CAPTCHA - URL is not yet qualified for challenge injection

saidshow
Cirrus
Cirrus

Hi,

 

I am setting up Brute Force protection in ASM and have noted that I can get this drop traffic and alert, but when attempting to show the CAPTCHA, I only get the blocking page we have configured. The help notes that this occurs when the URL is not yet qualified for challenge injection, but the help also provides no details how to correct this.

 

Can anyone assist? Assuming ASM policy: PolicyX and url: /LoginHere.aspx

 

Thank you

6 REPLIES 6

saidshow
Cirrus
Cirrus

Also curious if there is any official documentation around this?

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello,

 

What version of BIG-IP do you use and what type of login page do you configure in policy for BF?

In general, URL must become qualified for challenge injection after about 10 valid request to it.

Also, make sure that brute force prevention with CPATCHA doesn't overlapping some other criteria - if you configure several BF preventions, then it is possible that block happens by some other criteria, which becomes valid before CAPTCHA

 

Thanks, Ivan

saidshow
Cirrus
Cirrus

Hi  , I am using BIG-IP v13. The only control I have in place on the Brute Force Protection page is IP - 5 fails in 15 mins. When I breach this rule, I get the ASM block page despite having the control set to "Alarm and CAPTCHA". I have logged in through this control legitimately a number of times as have QA. I have retested the control and still get the block page. If I set to "Alarm" instead of "Alarm and CAPTCHA" I simply generate the log with no log - that looks correct. From what I can tell I need this page to qualify for challenge injection somehow. For the moment, I will try to login a few more times legitimately and see if that looks any better. Thanks for the response.

Ivan_Chernenkii
F5 Employee
F5 Employee

Does your /LoginHere.aspx contain HTML tag in response?

It must include HTML tag to be qualified. If this is so, then you need to send 10 requests to /LoginHere.aspx (no need to login), after that URL should be qualified for challenge injections.

Thanks, Ivan

Gabriels
Nimbostratus
Nimbostratus

I tried to bypass sanitize_data() since I know that it’s the only way to inject at invoiceid knowing that sanitize_data() was removing SQL queries I had to be more creative so I chained multiple keywords together MCDVOICE

Erik_Novak
F5 Employee
F5 Employee

Before brute force mitigation will be applied, ASM must see at least 10 responses in 5 minutes from the back-end application with a Content-Type header of text/html and a response code of 200. If you run this TMSH command you should see the list of all Qualified URLS: <tmsh list sys db dosl7.cs_qualified_urls>