Forum Discussion
15 Replies
not sure i understand you 100%.
you say CSRF protection was enabled, but when it was checked in the browser the code that would make it work was commented out, so not active?
that sounds very weird, are you very sure this was the case? did the person testing this actual try requests, was the token inserted in the URL?
if it really didn't work, was it tried with different browsers? different versions? weren't there any special tools installed on the systems that were tested with that caused this?
also you say you did a PoC, was that done with a F5 partner or F5 SE? have you contacted them about this?
- IT_Support_-_ECNimbostratus
We are also waiting for the answer from F5 guy that we did PoC together as well but that guy is still busy and he will be able to answer us again next week T_T. Anyway, our team that did PoC sent me some screenshots of what he has done;
"The F5 configuration we have done:
Enable blocking CSRF ![Image Text](/Portals/0/Users/149/93/211093/file1.PNG) Enable CSRF protection on the security.php link ![Image Text](/Portals/0/Users/149/93/211093/file2.PNG) Ensure this CSRF configuration affected correct Virtual Server.
After configuration, some stranges we have got:
The request to security.php link without token is not blocked (file3.png) ![Image Text](/Portals/0/Users/149/93/211093/file3.PNG) All F5 Javascripts are commented out when viewing the source-code of the page (file4.png) ![Image Text](/Portals/0/Users/149/93/211093/file4.PNG) The F5 CSRF token not generated to the security.php link."
I think he already did try what your suggestions because after he saw your comments, he sent me the information above. By the way, we don't know if there is any special tool installed on the web server but i will check it later.
Thank you
- IT_Support_-_ECNimbostratus
i would personally, certainly in a PoC, enable all three options in the blocking section for CSRF.
i checked in my lab, get the same situation with the comment on the script blocks but it works fine.
where exactly is the token expected where i doesn't show? remember there are cases where it isn't added specially in dynamically generated code.
- IT_Support_-_ECNimbostratus
Mr. Boneyward,
This is the reply from our team after reading your comments
" - I had tried enable all three options (alarm, learn, block) but it's not helped - This is not the dynamic generated code case (the security.php link is static in the homepage) - I wanna see the F5 CSRF token generated with the security.php link, but that not happened. And F5 no blocked CSRF violation when I access security.php without token. "
Thank you
where do they expect to see the token? it won't be in your HTML code, it is only added when the request is actually submitted. the easiest way to see this is by hovering over the link (if there is a link). or by doing a request and capturing the content.
- IT_Support_-_ECNimbostratus
Thank you for your comments Mr. Boneyard,
Our team told me that they had done everything to find the token of what your suggestions by hovering the link, requesting, and capturing the content before but there was no sign of it at all, which it should have been supposed to be generated from security.php. Do you have any ideas?
Thank you
nothing beyond some configuration error or bug somewhere. which version are you using?
at this stage i would take a step back and try something very simple. create a html page with a link that has some parameter. so like this
- IT_Support_-_ECNimbostratus
Thank you for kind support Mr. Boneyard,
I will let our team to check if there is any configuration error or bug somewhere and take a simple step back to see any difference although our team already did try it almost one full day without success before. We will let you know when there is a progress of this issue.
Thank you for your kind support again
- IT_Support_-_ECNimbostratus
Mr. Boneyard,
I got some good news for you. CSRF works now today after testing something but we got some strange issues to tell you and this is the message from our team who did test this CSRF;
"Hey bro, Don't give up. I've tested your case today and Good news is the CSRF has worked. But I have two strange cases, hope you can broaden my mind a little bit.
- The token was still not generated. (hovering the link)
- The CSRF now works. I recognize the difference between your test and mine, is that the appearance of the pair (test=test). Without it, the CSRF will not work. So with any URL list I want to protect that doesn't have (parameter=value), the CSRF protection will not work. Why ? Anything to overcome this problem ?
Btw, my F5 version: BIG-IP 11.5.1 Build 8.0.175 Hotfix HF8"
Thank you