Forum Discussion
CSRF Protection not Working
implmentation of CSRF protection is very simple on f5 device , unfortunately it didn`t work with me and every attempt from my browser " firefox " to access the authenticated URL as "/authenticated/* " is blocked ...
as shown below , here are the javascript token added on page response but why f5 cannot detect this CSRF token !!!
script type="text/javascript"> !-- window["_csrf_"] = "080672e6ab84a0008fd244ab2571f208bfe3204574c6e527769d1127606cff47e44d7efd81a8416297bbec25adbe3c55a10fa3a3ec1061e32adbdd05c697677a31e70c3f284c5b441b92c973e9c7ef6ef767f94488efa7a7f1118c01228fbb42a420ea3f9e8401f18eb2b9c69a16bd35cbf424e7cdd787c2b8178f070c4942f7cfa56107dca8e2d31bbf8aaa476f1472704dc1ba72e035ff6c132d7ad8f384aceea21b0c29b269e1"; //--
Questions: 1- is there any other CSRF tokens should appear somewhere as i studied it should appear also on url as a paramter ??
2- what are the prerequisites for enabling CSRF ?
- samstepCirrocumulus
did you check why ASM blocked your access? is it really CSRF violation or something else? Are you sure are actually getting FALSE POSITIVE blocks?
One of the main problems with CSRF protection in ASM is that it is injecting tokens using JavaScript which may not be compatible wuth JavaScript in your application, see solution SOL11885: The cross-site request forgery protection feature may interfere with applications which use JavaScript
https://support.f5.com/kb/en-us/solutions/public/11000/800/sol11885.html
Also see sol11930:
Requirements for CSRF Protection
For the embedded links in an HTTP response to be protected with the CSRT token, the page must meet the following requirements:
The response must contain an HTML tag in the first packet. The response must not be compressed.
Also check out "Protecting against CSRF" Chapter in the ASM Manual: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/27.htmlunique_2079379720
Hope this helps,
Sam
- Ahmed_Eissa_206Nimbostratus
the attack signature is CSRF Attack ... i understood there is an issue with csrf regarding javascript , so could we fix this issue from the application side as changing some of javascript programming !!! ...
- not really understanding the question here. CSRF protection from ASM wont work in javascript, you can't solve that with more javascript unfortunately.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com