Forum Discussion

小白's avatar
小白
Icon for Cirrus rankCirrus
Mar 03, 2022

crsf Incorrect interception

After I have configured crsf protection and my attack is intercepted, why will my normal operation be intercepted, and the normal access of other devices under the same LAN is also intercepted. I thi...
crsf
security
SamCo's avatar
SamCo
Icon for Cirrus rankCirrus

Hello,

With the limited information we have on your configuration, it's hard to help you.

Anyhow, an ASM policy and related configuration is only taking effect on the virtual servers it is applied on.

So if it is having side effect on pool member outside of the one you wish, it is probably they are embedded on a virtual server you affect the configuration to. In that case, you could use the LTM policies to refine the URL and then pool member that are affected by the ASM policy.

Cheers

Sam

小白's avatar
小白
Icon for Cirrus rankCirrus
Mar 08, 2022

Not so. I mean, after my computer IP attacks this vs, other computer IP's normal access to this vs is also blocked. Why is this

  • SamCo's avatar
    SamCo
    Icon for Cirrus rankCirrus
    Mar 08, 2022

    Ok, I realize i did not understand you were speaking about client sharing the same subnet, not servers.

    From my understanding, the CSRF blocking you configured is matching normal application trafic. It's hard to explain why without more detail on your configuration and application.

    Cheers,

    Sam

    • 小白's avatar
      小白
      Icon for Cirrus rankCirrus
      Mar 08, 2022

      when 192.168.1.21  attack  vs,blocking,this right

      but,when another ip 192.168.1.61 ,normal access to this url is also blocked,Why is that?

       

      • SamCo's avatar
        SamCo
        Icon for Cirrus rankCirrus
        Mar 08, 2022

        I never go deep into csrf protection with F5 actually. Looking a this page could be a good start : https://support.f5.com/csp/article/K11930

        CSRF violations

        When the system detects a CSRF attack on a protected page, such as a request for a URL that does not include the appropriate token, the system issues a CSRF attack detected violation. 

        To prevent token hijacking, the system also supports token aging. If the token is expired, the system issues a CSRF authentication expired violation.

        Looking at your URL, there is no token in the URL of the request that are send when you send ant attack, and there is one when you send a legitimate request. When it could be related to expiration in this token.

        Cheers,

        Sam

    • 小白's avatar
      小白
      Icon for Cirrus rankCirrus
      Mar 08, 2022

      This my policy's setting

       

       

      • SamCo's avatar
        SamCo
        Icon for Cirrus rankCirrus
        Mar 08, 2022

        10 seconds as expiration time is too short for a human i think, set at least 5 minutes if there is a form to fill,

        Cheers

        Sam