Forum Discussion

Ahmed_Eissa_206's avatar
Ahmed_Eissa_206
Icon for Nimbostratus rankNimbostratus
Sep 09, 2015

CSRF Protection not Working

implmentation of CSRF protection is very simple on f5 device , unfortunately it didn`t work with me and every attempt from my browser " firefox " to access the authenticated URL as "/authenticated/* ...
application delivery
ASM Advanced WAF
csrf
LTM
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Sep 09, 2015

did you check why ASM blocked your access? is it really CSRF violation or something else? Are you sure are actually getting FALSE POSITIVE blocks?

 

One of the main problems with CSRF protection in ASM is that it is injecting tokens using JavaScript which may not be compatible wuth JavaScript in your application, see solution SOL11885: The cross-site request forgery protection feature may interfere with applications which use JavaScript

 

https://support.f5.com/kb/en-us/solutions/public/11000/800/sol11885.html

 

Also see sol11930:

 

Requirements for CSRF Protection

 

For the embedded links in an HTTP response to be protected with the CSRT token, the page must meet the following requirements:

 

The response must contain an HTML tag in the first packet. The response must not be compressed.

 

Also check out "Protecting against CSRF" Chapter in the ASM Manual: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/27.htmlunique_2079379720

 

Hope this helps,

 

Sam