Symptoms
TCP RST being sent when a browser requests a fictive URL that starts with either of the following strings:
-- /TSPD/xxx...xxx?type=x
-- /TSbd/xxx...xxx?type=x.
Impact
CSRF/Web Scraping/Single Page Application/AJAX Blocking page features might not work. This happens intermittently when the back-end server's HTML page (the one where the fictive URL is injected) is cached in the browser for more than two days.
Conditions
This occurs in either of the following scenarios:
-- ASM policy is attached to a virtual server, and any of the following is enabled: Cross-Site Request Forgery (CSRF), Web Scraping/Single Page Application/AJAX Blocking internal.
-- DoS profile with Single Page Application enabled is attached to a virtual server.
Workaround
Use an iRule to disable caching for HTML pages where a fictive URL is injected.
Fix Information
The system now includes a new ASM Internal Parameter 'disable_cache_upon_injection', disabled by default. When it is enabled, ASM disables cached headers to HTML responses where a fictive URL is injected.
