F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

IT_Support_-_EC's avatar
IT_Support_-_EC
Icon for Nimbostratus rankNimbostratus
Jul 12, 2015

[BIG-IP 4000s] Failed to protect Crosse-Site Request Forgery

Dear F5 Team,   Our team did PoC of Cross-Site Request Forgery but it seemed that WAF cannot protect this attack. Our team said   "For the CSRF protection, F5 will generate its own Javascript t...
ASM Advanced WAF
security
IT_Support_-_EC's avatar
IT_Support_-_EC
Icon for Nimbostratus rankNimbostratus
Jul 15, 2015

Mr. Boneyard,

 

I got some good news for you. CSRF works now today after testing something but we got some strange issues to tell you and this is the message from our team who did test this CSRF;

 

"Hey bro, Don't give up. I've tested your case today and Good news is the CSRF has worked. But I have two strange cases, hope you can broaden my mind a little bit.

 

  1. The token was still not generated. (hovering the link)
  2. The CSRF now works. I recognize the difference between your test and mine, is that the appearance of the pair (test=test). Without it, the CSRF will not work. So with any URL list I want to protect that doesn't have (parameter=value), the CSRF protection will not work. Why ? Anything to overcome this problem ?

Btw, my F5 version: BIG-IP 11.5.1 Build 8.0.175 Hotfix HF8"

 

Thank you