Forum Discussion

Nimbostratus

Jul 12, 2015

[BIG-IP 4000s] Failed to protect Crosse-Site Request Forgery

Dear F5 Team, Our team did PoC of Cross-Site Request Forgery but it seemed that WAF cannot protect this attack. Our team said "For the CSRF protection, F5 will generate its own Javascript t...

ASM Advanced WAF

security

boneyard

MVP

Jul 13, 2015

not sure i understand you 100%.

you say CSRF protection was enabled, but when it was checked in the browser the code that would make it work was commented out, so not active?

that sounds very weird, are you very sure this was the case? did the person testing this actual try requests, was the token inserted in the URL?

if it really didn't work, was it tried with different browsers? different versions? weren't there any special tools installed on the systems that were tested with that caused this?

also you say you did a PoC, was that done with a F5 partner or F5 SE? have you contacted them about this?

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)