Forum Discussion

Nimbostratus

Jul 12, 2015

[BIG-IP 4000s] Failed to protect Crosse-Site Request Forgery

Dear F5 Team, Our team did PoC of Cross-Site Request Forgery but it seemed that WAF cannot protect this attack. Our team said "For the CSRF protection, F5 will generate its own Javascript t...

ASM Advanced WAF

security

IT_Support_-_EC

Nimbostratus

Jul 14, 2015

We are also waiting for the answer from F5 guy that we did PoC together as well but that guy is still busy and he will be able to answer us again next week T_T. Anyway, our team that did PoC sent me some screenshots of what he has done;

"The F5 configuration we have done:

Enable blocking CSRF     
![Image Text](/Portals/0/Users/149/93/211093/file1.PNG)
Enable CSRF protection on the security.php link
![Image Text](/Portals/0/Users/149/93/211093/file2.PNG)
Ensure this CSRF configuration affected correct Virtual Server.

After configuration, some stranges we have got:

The request to security.php link without token is not blocked (file3.png)
![Image Text](/Portals/0/Users/149/93/211093/file3.PNG)
All F5 Javascripts are commented out when viewing the source-code of the page (file4.png)
![Image Text](/Portals/0/Users/149/93/211093/file4.PNG)
The F5 CSRF token not generated to the security.php link."

I think he already did try what your suggestions because after he saw your comments, he sent me the information above. By the way, we don't know if there is any special tool installed on the web server but i will check it later.

Thank you

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)