Forum Discussion

yosry92_331999's avatar
yosry92_331999
Icon for Nimbostratus rankNimbostratus
Dec 25, 2017

how can i block brute force in 2 separated login parameters in 2 diff pages?

how can i block brute force for 2 separated parameters in 2 diff pages?

 

the application has username in first page when u enter it it will redirect to password page . can i block brute force in that case?

 

does this way of authentication in application prevent brute force without applying f5 brute force ?

 

if i use brute force tool can i use it to brute force 2 separated parameters in 2 diff pages?

 

ASM Advanced WAF
security

5 Replies

Sort By
  • Jeff_Maddox_394's avatar
    Jeff_Maddox_394
    Historic F5 Account
    Jan 10, 2018

    Does the password page only get presented with a valid username, or does it accept any username and then presents the credential pair with the submit action on the password page?

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Jan 10, 2018

    Hello,

     

    I used this kind of deployment in an Identity fédération (SAML). I asked first Username for IDP discovery in order to fw user on the idp he is attached to... Then I asked Password.

     

    I tried to do it with the ASM without success (I'm not sure that's possible on 2 different context with asm) and finally I did it with the apm: with localDB lockout... Are you using apm ?

     

    regards,

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jan 10, 2018

    Hi,

     

    You can try code like this (not tested)

     

    it capture username in the first request, then store it for next request.

     

    when the user send the password, it insert the username in the payload to allow ASM burteforce protection.

     

    when ASM allowed the request, replace the payload by the previous one (in HTTP_REQUEST_SEND event)

     

    when HTTP_REQUEST {
    if {[HTTP::uri] equals "/login"} {
         replace the cookie name by the application cookie used to follow the session
        set key [HTTP::cookie value mycookie]
        if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{
            set content_length [HTTP::header "Content-Length"]
        } else {
            set content_length 1048576
        }
         Check if $content_length is not set to 0
        if {($content_length > 0)} {
            HTTP::collect $content_length
        }
    }
}



when HTTP_REQUEST_DATA {
    if {[set username [URI::query "?[HTTP::payload]" username]] ne ""} {
        table set -subtable BruteForceProtection $key $username 300 900
    } elseif {[set username [URI::query "?[HTTP::payload]" password]] ne ""} {
        set username [table lifetime -subtable BruteForceProtection -remaining $key]
        set payload [HTTP::payload]
        HTTP::payload replace 0 [HTTP::payload length] "$payload&username=$username"
        set plength [HTTP::payload length]
        HTTP::release 
    }
}

when HTTP_REQUEST_SEND {
    if {[info exists $payload]} {
        HTTP::payload replace 0 $plength "$payload"
        unset payload
    }
}