I'll add that ASM is designed to protect against XSRF, XSS (and many other) attacks using both positive and negative validation of requests. There are character sets which define valid characters in parameter names, parameter values, headers and the object. There are a set of default regular expressions against these same components which validate the request does not contain malicious patterns. Custom regexes can be added as well. ASM also enforces length restrictions which limit how big the total request, header, parameter and parameter values can be.
iRules can help provide good specific security. ASM provides a more comprehensive package of validations and protection. I would imagine you could talk with an F5 salesperson to get more specifics on ASM.
Aaron