Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ASM Brute Force login mitigation with Captcha

I have a question regarding the ASM brute force login mitigation feature using captchas. Based on the failed logins setting the user gets challenged with a captcha. After solving the capture succesfully the user gets redirected back to the login page. Entering the correct credentials this time forces another captcha challenge! If this is solved successfully the user is allowed to enter the website.

I can´t understand this last captcha challenge because the user has entered the correct credentials before. He shouldn´t be challenged again at this point.

The sequence when using captchas is not documented in that very detail, so could it be that the last captcha is one too much? Has anyone made a similar experience or does anyone know how ASM should work at this stage?

Tested with versions 13.1.1.2 and 14.1.

Rgds, Peter

0
Rate this Question
Comments on this Question
Comment made 3 weeks ago by leonline 116

You shouldn't get the 2nd CAPTCHA. Although I have seen some difference in behavior when hitting enter after solving the CAPTCHA vs actual clicking on the button. Do you have 2 illegal request log entries when you have this issue?

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have never seen this on v12.1.x branch, so difficult to comment for v13/14, this potentially might be related to your application specifics or configuration details. Also the problem might be in 'Re-enable login after' settings - do you have it configured?

0
Comments on this Answer
Comment made 3 weeks ago by Peter 182

Unfortunately there is no "Re-enable login after" setting anymore in v13.1 & 14.

While digging through the documentation i found the following statement within https://support.f5.com/csp/article/K18650749:

"Note that successful logins do not reset the failed login attempts over the detection period."

But even this statement doesn´t fully explain the observed behaviour.

0