F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

IT_Support_-_EC's avatar
IT_Support_-_EC
Icon for Nimbostratus rankNimbostratus
Jul 12, 2015

[BIG-IP 4000s] Failed to protect Crosse-Site Request Forgery

Dear F5 Team,   Our team did PoC of Cross-Site Request Forgery but it seemed that WAF cannot protect this attack. Our team said   "For the CSRF protection, F5 will generate its own Javascript t...
ASM Advanced WAF
security
IT_Support_-_EC's avatar
IT_Support_-_EC
Icon for Nimbostratus rankNimbostratus
Jul 16, 2015

Thank you for your comment Mr. Boneyard,

 

After reading your comments, our team got a different opinion about the fact of no protecting a request that doesn't carry data and would like to share it with you (his tone may be a bit strong but please think of him as your close friend OK! Mr. Boneyard ^_^)

 

"The request without parameter doesn't carry data ? Hey man, you're very wrong about this. How's about data coming from HTTP headers ? like cookie, HTTP referer ? does that make sense ?

 

Let's talk about an application that have one link to delete the account: /delete.php, user can access this link to delete their account. Application recognized user based on their session_id (send along with their cookie). So, user just access this link (without any parameters) to delete their account. Hey, tell me, guy, does it "carry data" ? And how to protect CSRF on this link ?"

 

Thank you