Bruteforce configuration issue with x-www-urlencoded

Question

Hello, &nbsp;
We have the following brute-force configuration issue with the x-www-urlencoded application content-type, on our:  BIG-IP Version  13.1.1 &nbsp;
We have a login page test-app.domain.co.il/login which POSTS to test-api.domain.co.il/Token&nbsp;
Headers are (not working request, and essentially an issue itself): &nbsp;

And the invalid username or password response header looking like this: &nbsp;

While testing with the Postman using "form-data" request, the F5 successfully catches and blocks the brute force request. The Postman request itself (working request):&nbsp;

&nbsp;
At the Brute-force configuration we have tried the “JSON/ AJAX Request”  and the “HTML form”  methods, but with no luck.. &nbsp;
We will appreciate any help. &nbsp;
Thanks!&nbsp;

stanislas_piro2 · Answer

Hi,&nbsp;you can try this code with "Basic Authentication" configured in ASM login page&nbsp; Collect a request payload
when HTTP_REQUEST {
    set app ""
    if {[HTTP::method] eq "POST" &amp;&amp; [HTTP::path] starts_with "/Token" &amp;&amp; [scan [HTTP::header "Content-Type"] {multipart/form-data; boundary=%s} boundary]} {
         Trigger collection for up to 1MB of data
        if {[HTTP::header "Content-Length"] ne "" &amp;&amp; [HTTP::header "Content-Length"] &lt;= 1048576} {
        set content_length [HTTP::header "Content-Length"]
        } else {
            set content_length 1048576
        }
         Check if $content_length is not set to 0
        if { $content_length &gt; 0} {
            HTTP::collect $content_length
        }
    }
}

when HTTP_REQUEST_DATA {

foreach item [split [string map [list "--$boundary" "|"] [HTTP::payload]] "|"] {
        if {$item == "" || $item == "--"} {
            continue
        }
        set fields [split [string map {"

" "|"} [string trim $item]] "|"]
        if {[llength $fields] &lt; 2} {
            continue
        }
        if {[string match {*name="name"*} [lindex $fields 0]] } {
            set username [lindex $fields 1]
            puts "username is $username"
        } elseif {[string match {*name="password"*} [lindex $fields 0]] } {
            set password [lindex $fields 1]
            puts "password is $password"
        }
    }
    if {[info exists username] &amp;&amp; [info exists password]} {
        HTTP::header insert Authorization "Basic [b64encode "$username:$password"]"
    }
    unset -nocomplain item fields
    HTTP::release
}

when HTTP_REQUEST_RELEASE {
    HTTP::header remove Authorization
}this code parse multipart content and insert username and password in a Basic auth header... then remove it before sending it to the server...&nbsp;This code is not tested... please test it and update this thread...&nbsp;

Forum Discussion

Bruteforce configuration issue with x-www-urlencoded

1 Reply

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Certificate Expiry Email alert configuration

Getting Started with BIG-IP Next: Configuring Instance High Availability

F5 BIG-IP SSL Orchestrator Configuration with Advanced WAFaaS

Manage F5 BIG-IP Advanced WAF Configuration Drift with webhooks and GitOps

BIG-IP vWire Configuration