Forum Discussion

Findus's avatar
Findus
Icon for Altostratus rankAltostratus
Jan 24, 2019

ASM Brute Force login mitigation with Captcha

I have a question regarding the ASM brute force login mitigation feature using captchas. Based on the failed logins setting the user gets challenged with a captcha. After solving the capture succesfully the user gets redirected back to the login page. Entering the correct credentials this time forces another captcha challenge! If this is solved successfully the user is allowed to enter the website.

 

I can´t understand this last captcha challenge because the user has entered the correct credentials before. He shouldn´t be challenged again at this point.

 

The sequence when using captchas is not documented in that very detail, so could it be that the last captcha is one too much? Has anyone made a similar experience or does anyone know how ASM should work at this stage?

 

Tested with versions 13.1.1.2 and 14.1.

 

Rgds, Peter

 

ASM Advanced WAF
security

3 Replies

Sort By
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Jan 24, 2019

    I have never seen this on v12.1.x branch, so difficult to comment for v13/14, this potentially might be related to your application specifics or configuration details. Also the problem might be in 'Re-enable login after' settings - do you have it configured?

     

  • leonline_225556's avatar
    leonline_225556
    Icon for Altostratus rankAltostratus
    Jan 25, 2019

    You shouldn't get the 2nd CAPTCHA. Although I have seen some difference in behavior when hitting enter after solving the CAPTCHA vs actual clicking on the button. Do you have 2 illegal request log entries when you have this issue?

     

  • Findus's avatar
    Findus
    Icon for Altostratus rankAltostratus
    Apr 16, 2019

    Just to let you know - the above described login sequence with captcha challenges works as designed. I clarified this via a support ticket.

     

    Final answer from support:

     

    "The Engineering Services team confirmed this is the expected behaviour. Only when the customer key in the correct captcha response when login was successful (meaning the right set of credentials before the challenge) would he not be challenged again in subsequent login requests."

     

Related Content