Forum Discussion

Nik_67256's avatar
Nik_67256
Icon for Nimbostratus rankNimbostratus
Mar 05, 2012

CSRF Protection Query

Hello,

 

 

Have a query on CSRF protection. In ASM in Policies -->CSRF Protection screen , the user needs to specify the specific URLs of the webapp to protect. I ran a appscan scan on my webapp(for URL discovery) and it threw about 700+ application URLs.

 

 

Query:

 

Does this mean i need to specify all these specific application URLs to completely protect my site or is three any other way to do this.

 

 

regards,

 

Nik

 

 

 

  • Hi Nik,

     

     

    Can you use wildcards for this? At least in 11.1 ASM supports wildcards for the CSRF URL list.

     

     

    Aaron
  •  

    Hello Aaron,

     

     

    I have asm 10.2.2 running. I did try the wildcard expression, but dont think it works

     

     

    I added https://siteURL/* in the CSRF protection page. I then did a explore with a scanner which conducted the CSRF

     

    tests. However the asm traffic learning screen did not flag it as an event.

     

     

    Queries

     

    1) Firstly, Will this approach (described above) work in asm version 11

     

    2) How can CSRF protection be achieved in asm version 10.2.2

     

     

    regards

     

    Nik