Forum Discussion
CirrusASM uses TS cookies as well against CSRF
I understoof ASM injecting a token in fields on static HTML POST forms or cliende side scripts to protect against CSRF.
But i read somewhere that it uses as well the main TS cookie, how does it work exactly? An attacker can just replay the TS cookie...
2 Replies
samstepCirrocumulus
Yes, the ASM is indeed using a TS cookie to store the random token. This is described in Solution SOL11903:
https://support.f5.com/kb/en-us/solutions/public/11000/900/sol11903.html
This is a so-called Double-Submit Cookie Protection. It works because the attackers cannot read or modify the cookie value "cross-site" due to Same-Origin-Policy of browsers. Sure the attacker can replay cookies from the previous request, but it won't match the token in the next request.
OWASP CSRF Prevention Cheatsheet is a good resource for CSRF information, it describes Double-Submit Cookies among other protections, link here:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Hope this helps,
Sam
- boneyard
MVP
sources?
