Technical Tip: Man in the Browser (MitB) protection: Encryption not working on the exchange OWA login page

Problem description:

When enabling Man in the Browser (MITB) Protection for OWA authentication pages, the password encryption may not function as expected.

Symptoms include:

• The password value is visible in plaintext within the POST request.
• 'fetcherror' displayed in browser developer tools (e.g., Firefox DevTools or HAR export).
• MitB obfuscation works properly, but encryption fails.

This behavior is due to OWA’s built-in JavaScript form submission method (document.logonForm.submit();), which bypasses MitB’s injected encryption script.

Solution:

A configuration adjustment and URL rewrite rule are required for MitB to correctly encrypt credentials on the OWA login form.

Below are the steps:

1. Configure MitB rule with explicit URLs.

Avoid using wildcard URLs (such as /owa/*) that may cause MitB to be triggered for multiple unrelated paths. Instead, configure the exact GET and POST URLs as shown below:

config waf mitb-rule     edit "owa_mitb_rule"         set request-type regular         set request-url /owa/auth/logon.aspx         set post-url /owa/auth.owa         config protected-parameter-list             edit "username"             next             edit "password"                 set type password-input                 set encrypt enable             next         end         config allowed-external-domains-list         end         set ajaxcheck enable     next end

2. Modify OWA logon form behavior.

OWA’s native script uses a hidden form submission call that prevents MITB’s injected encryption logic from executing.

To fix this, a URL rewrite rule must modify this behavior.

Create the following URL Rewrite Rule and assign it to the relevant Server Policy or URL Rewriting Policy protecting Exchange OWA.

config waf url-rewrite url-rewrite-rule     edit "trig_submit"         set action http-response-body-rewrite         set body_replace "var submitEvent = new Event(\"submit\"); document.logonForm.dispatchEvent(submitEvent);document.logonForm.submit();"         config match-condition             edit 1                 set object http-body                 set reg-exp "document.logonForm.submit\\(\\);"             next         end     next end

This modification ensures that the form’s submit event is properly triggered, allowing MitB’s injected JavaScript to perform encryption of the password field before submission.

3. Assign rewrite rule.

Once created, assign the URL rewrite rule (trig_submit) to the URL Rewriting Policy linked to the Exchange OWA Server Policy.

• Navigate to Web Protection -> URL Rewriting -> URL Rewrite Policy.
• Edit the policy used by the Exchange OWA Server Policy.
• Add the trig_submit rule.

Finally, apply and save the changes.

Verification:

• Re-enable MitB protection for OWA.
• Clear the browser cache and reload the OWA login page.
• Open browser DevTools -> Network -> auth.owa POST request.
• Confirm that the password field is encrypted (not visible in plaintext).

Conclusion:

The MitB encryption issue with Microsoft Exchange OWA occurs because OWA’s form submission script bypasses the MitB injection.

By explicitly defining the URLs and using a URL Rewrite Rule to adjust form submission behavior, the MitB protection feature successfully encrypts the password field during login.

Related document:
Man in the Browser (MitB) Protection