CSRF Protection not Working

Question

implmentation of CSRF protection is very simple on f5 device , unfortunately it didn`t work with me and every attempt from my browser " firefox " to access the authenticated URL as "/authenticated/* " is blocked ...&nbsp;
as shown below , here are the javascript token added on page response  but why f5 cannot detect this CSRF token !!!&nbsp;
script type="text/javascript"&gt;
!--
window["_csrf_"] = "080672e6ab84a0008fd244ab2571f208bfe3204574c6e527769d1127606cff47e44d7efd81a8416297bbec25adbe3c55a10fa3a3ec1061e32adbdd05c697677a31e70c3f284c5b441b92c973e9c7ef6ef767f94488efa7a7f1118c01228fbb42a420ea3f9e8401f18eb2b9c69a16bd35cbf424e7cdd787c2b8178f070c4942f7cfa56107dca8e2d31bbf8aaa476f1472704dc1ba72e035ff6c132d7ad8f384aceea21b0c29b269e1";
//--

&nbsp;Questions:
1- is there any other CSRF tokens should appear somewhere as i studied it should appear also on url as a paramter ??&nbsp;
2- what are the prerequisites for enabling CSRF ?&nbsp;

samstep · Answer

did you check why ASM blocked your access? is it really CSRF violation or something else? Are you sure are actually getting FALSE POSITIVE blocks? &nbsp;
One of the main problems with CSRF protection in ASM is that it is injecting tokens using JavaScript which may not be compatible wuth JavaScript in your application, see solution SOL11885: The cross-site request forgery protection feature may interfere with applications which use JavaScript&nbsp;
https://support.f5.com/kb/en-us/solutions/public/11000/800/sol11885.html&nbsp;
Also see sol11930:&nbsp;
Requirements for CSRF Protection&nbsp;
For the embedded links in an HTTP response to be protected with the CSRT token, the page must meet the following requirements:&nbsp;
The response must contain an HTML tag in the first packet.
The response must not be compressed.&nbsp;
Also check out "Protecting against CSRF" Chapter in the ASM Manual:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/27.htmlunique_2079379720&nbsp;
Hope this helps,&nbsp;
Sam&nbsp;

ahmed_eissa_206 · Answer

the attack signature is CSRF Attack ... i understood there is an issue with csrf regarding javascript , so could we fix this issue from the application side as changing some of javascript programming !!! ...

boneyard · Answer

not really understanding the question here. CSRF protection from ASM wont work in javascript, you can't solve that with more javascript unfortunately.

Forum Discussion

CSRF Protection not Working

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

L7 DoS Protection with NGINX App Protect DoS

Managing NGINX App Protect WAF for Beginners

Protecting gRPC based APIs with NGINX App Protect

F5 Essential App Protect: Go !

Knowledge sharing: Order of precedence for BIG-IP modules, ASM DDOS Protection, Bot Protection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS