Forum Discussion
15 Replies
i would advise you to read up on Cross Site Request Forgery and the mitigation of it.
https://en.wikipedia.org/wiki/Cross-site_request_forgery https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
in the end it comes down to the fact you don't have to protect a request that doesn't carry data.
- IT_Support_-_ECNimbostratus
Thank you for your comment Mr. Boneyard,
After reading your comments, our team got a different opinion about the fact of no protecting a request that doesn't carry data and would like to share it with you (his tone may be a bit strong but please think of him as your close friend OK! Mr. Boneyard ^_^)
"The request without parameter doesn't carry data ? Hey man, you're very wrong about this. How's about data coming from HTTP headers ? like cookie, HTTP referer ? does that make sense ?
Let's talk about an application that have one link to delete the account: /delete.php, user can access this link to delete their account. Application recognized user based on their session_id (send along with their cookie). So, user just access this link (without any parameters) to delete their account. Hey, tell me, guy, does it "carry data" ? And how to protect CSRF on this link ?"
Thank you
sure a HTTP GET / POST without parameters does indeed carry some data, but in general not enough on itself to perform transactions. that is normally done with parameters and that is what CSRF protection is designed for.
if you design your application as described above you have a situation (although not very common in my opinion) where the F5 CRSF protection doesn't protect you.
that is a limitation of the product. if you want a full proof solution specific for your situation you gotta build it yourself at lots of effort. a solution like F5 ASM will protect you with less effort but upto a point, it can't cover every possible situation.
- IT_Support_-_ECNimbostratus
Thank you for your comment Mr. Boneyard,
Our team got what we wanted to know through your message and would like thank you for making us understand and helping us along the way with this case.
Thank you so much
- you are welcome, you can flag your question as answered if you feel it is.