Forum Discussion

Ahmed_Eissa_206's avatar
Ahmed_Eissa_206
Icon for Nimbostratus rankNimbostratus
Sep 09, 2015

CSRF Protection not Working

implmentation of CSRF protection is very simple on f5 device , unfortunately it didn`t work with me and every attempt from my browser " firefox " to access the authenticated URL as "/authenticated/* " is blocked ...

 

as shown below , here are the javascript token added on page response but why f5 cannot detect this CSRF token !!!

 

script type="text/javascript"> !-- window["_csrf_"] = "080672e6ab84a0008fd244ab2571f208bfe3204574c6e527769d1127606cff47e44d7efd81a8416297bbec25adbe3c55a10fa3a3ec1061e32adbdd05c697677a31e70c3f284c5b441b92c973e9c7ef6ef767f94488efa7a7f1118c01228fbb42a420ea3f9e8401f18eb2b9c69a16bd35cbf424e7cdd787c2b8178f070c4942f7cfa56107dca8e2d31bbf8aaa476f1472704dc1ba72e035ff6c132d7ad8f384aceea21b0c29b269e1"; //--

 

Questions: 1- is there any other CSRF tokens should appear somewhere as i studied it should appear also on url as a paramter ??

 

2- what are the prerequisites for enabling CSRF ?

 

3 Replies

  • did you check why ASM blocked your access? is it really CSRF violation or something else? Are you sure are actually getting FALSE POSITIVE blocks?

     

    One of the main problems with CSRF protection in ASM is that it is injecting tokens using JavaScript which may not be compatible wuth JavaScript in your application, see solution SOL11885: The cross-site request forgery protection feature may interfere with applications which use JavaScript

     

    https://support.f5.com/kb/en-us/solutions/public/11000/800/sol11885.html

     

    Also see sol11930:

     

    Requirements for CSRF Protection

     

    For the embedded links in an HTTP response to be protected with the CSRT token, the page must meet the following requirements:

     

    The response must contain an HTML tag in the first packet. The response must not be compressed.

     

    Also check out "Protecting against CSRF" Chapter in the ASM Manual: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/27.htmlunique_2079379720

     

    Hope this helps,

     

    Sam

     

  • the attack signature is CSRF Attack ... i understood there is an issue with csrf regarding javascript , so could we fix this issue from the application side as changing some of javascript programming !!! ...

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      not really understanding the question here. CSRF protection from ASM wont work in javascript, you can't solve that with more javascript unfortunately.