CSRF protection blocks the whole website instead of csrf attacks only

Question

Hi everybody
Working on a VE 11.5.4 I need to activate the CSRF protection that my application does not provide.&nbsp;
The pb is that once activated, ASM blocks everything instead of a real attack. So the website becomes blocked by ASM. Thus, it looks like every navigation on the website is a false positive.&nbsp;
I also noticed in the response pages that the code inserted looks like put in comment and I wonder if it's supposed to be commented or if there's a bug out there :&nbsp;

Does anyone get a hint ?&nbsp;

l-cisirh-bt-net · Answer

the code i mentionned is :
!-- 
csrf = { pn : "csrt", pv : '18196769039293321355', vh : [  ], vu : [ /^\/(.\/).$/ ], f : 0, f_cancel_onload : 0 };
if (typeof is_ajsp_running == "undefined") { is_ajsp_running = false; }
//--&nbsp;

samstep · Answer

First of all you need to make use you use CSRF only on URLs which need it (have CSRF vulnerability e.g. transactions)  and these URLs to the Protected URLs list in ASM CSRF screen.&nbsp;
Secondly: &nbsp;
Version 11.5.4 has a known CSRF bug (ID474256) causing False Positive, more information here&nbsp;
https://cdn.f5.com/product/bugtracker/ID474256.html&nbsp;
So if you are affected (CSRF protection is needed in frames) then you need to upgrade to v12.x&nbsp;

Forum Discussion

CSRF protection blocks the whole website instead of csrf attacks only

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

irule to enable http/2 acceleration

VS FORWARDING & ROUTE

Statistics ›› Analytics : HTTP : Overview

SNI Sites not taking correct certificate.

Related Content

L7 DoS Protection with NGINX App Protect DoS

Beyond REST: Protecting GraphQL

Cookie-based DDoS protection

Protecting gRPC based APIs with NGINX App Protect

Managing NGINX App Protect WAF for Beginners

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS