Dear F5 Team, Our team did PoC of Cross-Site Request Forgery but it seemed that WAF cannot protect this attack. Our team said "For the CSRF protection, F5 will generate its own Javascript to browser. The problem is when I viewsource the webpage, all F5 JS are commented out, so it cannot work" Could you help us check how to make WAF against CSRF work? Thank you

not sure i understand you 100%. you say CSRF protection was enabled, but when it was checked in the browser the code that would make it work was commented out, so not active? that sounds very weird, are you very sure this was the case? did the person testing this actual try requests, was the token inserted in the URL? if it really didn't work, was it tried with different browsers? different versions? weren't there any special tools installed on the systems that were tested with that caused this? also you say you did a PoC, was that done with a F5 partner or F5 SE? have you contacted them about this?

We are also waiting for the answer from F5 guy that we did PoC together as well but that guy is still busy and he will be able to answer us again next week T_T. Anyway, our team that did PoC sent me some screenshots of what he has done; "The F5 configuration we have done: Enable blocking CSRF ![Image Text](/Portals/0/Users/149/93/211093/file1.PNG) Enable CSRF protection on the security.php link ![Image Text](/Portals/0/Users/149/93/211093/file2.PNG) Ensure this CSRF configuration affected correct Virtual Server.After configuration, some stranges we have got: The request to security.php link without token is not blocked (file3.png) ![Image Text](/Portals/0/Users/149/93/211093/file3.PNG) All F5 Javascripts are commented out when viewing the source-code of the page (file4.png) ![Image Text](/Portals/0/Users/149/93/211093/file4.PNG) The F5 CSRF token not generated to the security.php link."I think he already did try what your suggestions because after he saw your comments, he sent me the information above. By the way, we don't know if there is any special tool installed on the web server but i will check it later. Thank you

i would personally, certainly in a PoC, enable all three options in the blocking section for CSRF. i checked in my lab, get the same situation with the comment on the script blocks but it works fine. where exactly is the token expected where i doesn't show? remember there are cases where it isn't added specially in dynamically generated code.

Mr. Boneyward, This is the reply from our team after reading your comments " - I had tried enable all three options (alarm, learn, block) but it's not helped - This is not the dynamic generated code case (the security.php link is static in the homepage) - I wanna see the F5 CSRF token generated with the security.php link, but that not happened. And F5 no blocked CSRF violation when I access security.php without token. " Thank you

[BIG-IP 4000s] Failed to protect Crosse-Site Request Forgery

15 Replies

boneyard
MVP
Jul 13, 2015
not sure i understand you 100%.

you say CSRF protection was enabled, but when it was checked in the browser the code that would make it work was commented out, so not active?

that sounds very weird, are you very sure this was the case? did the person testing this actual try requests, was the token inserted in the URL?

if it really didn't work, was it tried with different browsers? different versions? weren't there any special tools installed on the systems that were tested with that caused this?

also you say you did a PoC, was that done with a F5 partner or F5 SE? have you contacted them about this?
IT_Support_-_EC
Nimbostratus
Jul 14, 2015
We are also waiting for the answer from F5 guy that we did PoC together as well but that guy is still busy and he will be able to answer us again next week T_T. Anyway, our team that did PoC sent me some screenshots of what he has done;

"The F5 configuration we have done:

Enable blocking CSRF ![Image Text](/Portals/0/Users/149/93/211093/file1.PNG) Enable CSRF protection on the security.php link ![Image Text](/Portals/0/Users/149/93/211093/file2.PNG) Ensure this CSRF configuration affected correct Virtual Server.
After configuration, some stranges we have got:

The request to security.php link without token is not blocked (file3.png) ![Image Text](/Portals/0/Users/149/93/211093/file3.PNG) All F5 Javascripts are commented out when viewing the source-code of the page (file4.png) ![Image Text](/Portals/0/Users/149/93/211093/file4.PNG) The F5 CSRF token not generated to the security.php link."
I think he already did try what your suggestions because after he saw your comments, he sent me the information above. By the way, we don't know if there is any special tool installed on the web server but i will check it later.

Thank you
IT_Support_-_EC
Nimbostratus
Jul 14, 2015
boneyard
MVP
Jul 14, 2015
i would personally, certainly in a PoC, enable all three options in the blocking section for CSRF.

i checked in my lab, get the same situation with the comment on the script blocks but it works fine.

where exactly is the token expected where i doesn't show? remember there are cases where it isn't added specially in dynamically generated code.
IT_Support_-_EC
Nimbostratus
Jul 14, 2015
Mr. Boneyward,

This is the reply from our team after reading your comments

" - I had tried enable all three options (alarm, learn, block) but it's not helped - This is not the dynamic generated code case (the security.php link is static in the homepage) - I wanna see the F5 CSRF token generated with the security.php link, but that not happened. And F5 no blocked CSRF violation when I access security.php without token. "

Thank you
boneyard
MVP
Jul 15, 2015
where do they expect to see the token? it won't be in your HTML code, it is only added when the request is actually submitted. the easiest way to see this is by hovering over the link (if there is a link). or by doing a request and capturing the content.
IT_Support_-_EC
Nimbostratus
Jul 15, 2015
Thank you for your comments Mr. Boneyard,

Our team told me that they had done everything to find the token of what your suggestions by hovering the link, requesting, and capturing the content before but there was no sign of it at all, which it should have been supposed to be generated from security.php. Do you have any ideas?

Thank you
boneyard
MVP
Jul 15, 2015
nothing beyond some configuration error or bug somewhere. which version are you using?

at this stage i would take a step back and try something very simple. create a html page with a link that has some parameter. so like this
IT_Support_-_EC
Nimbostratus
Jul 15, 2015
Thank you for kind support Mr. Boneyard,

I will let our team to check if there is any configuration error or bug somewhere and take a simple step back to see any difference although our team already did try it almost one full day without success before. We will let you know when there is a progress of this issue.

Thank you for your kind support again
IT_Support_-_EC
Nimbostratus
Jul 15, 2015
Mr. Boneyard,

I got some good news for you. CSRF works now today after testing something but we got some strange issues to tell you and this is the message from our team who did test this CSRF;

"Hey bro, Don't give up. I've tested your case today and Good news is the CSRF has worked. But I have two strange cases, hope you can broaden my mind a little bit.

The token was still not generated. (hovering the link)
The CSRF now works. I recognize the difference between your test and mine, is that the appearance of the pair (test=test). Without it, the CSRF will not work. So with any URL list I want to protect that doesn't have (parameter=value), the CSRF protection will not work. Why ? Anything to overcome this problem ?

Btw, my F5 version: BIG-IP 11.5.1 Build 8.0.175 Hotfix HF8"

Thank you