F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

IT_Support_-_EC's avatar
IT_Support_-_EC
Icon for Nimbostratus rankNimbostratus
Jul 12, 2015

[BIG-IP 4000s] Failed to protect Crosse-Site Request Forgery

Dear F5 Team,   Our team did PoC of Cross-Site Request Forgery but it seemed that WAF cannot protect this attack. Our team said   "For the CSRF protection, F5 will generate its own Javascript t...
ASM Advanced WAF
security
boneyard's avatar
boneyard
Icon for MVP rankMVP
Jul 16, 2015

sure a HTTP GET / POST without parameters does indeed carry some data, but in general not enough on itself to perform transactions. that is normally done with parameters and that is what CSRF protection is designed for.

 

if you design your application as described above you have a situation (although not very common in my opinion) where the F5 CRSF protection doesn't protect you.

 

that is a limitation of the product. if you want a full proof solution specific for your situation you gotta build it yourself at lots of effort. a solution like F5 ASM will protect you with less effort but upto a point, it can't cover every possible situation.