CSRF protection blocks the whole website instead of csrf attacks only

Question

Hi everybody
Working on a VE 11.5.4 I need to activate the CSRF protection that my application does not provide.&nbsp;
The pb is that once activated, ASM blocks everything instead of a real attack. So the website becomes blocked by ASM. Thus, it looks like every navigation on the website is a false positive.&nbsp;
I also noticed in the response pages that the code inserted looks like put in comment and I wonder if it's supposed to be commented or if there's a bug out there :&nbsp;

Does anyone get a hint ?&nbsp;

l-cisirh-bt-net · Answer

the code i mentionned is :
!-- 
csrf = { pn : "csrt", pv : '18196769039293321355', vh : [  ], vu : [ /^\/(.\/).$/ ], f : 0, f_cancel_onload : 0 };
if (typeof is_ajsp_running == "undefined") { is_ajsp_running = false; }
//--&nbsp;

samstep · Answer

First of all you need to make use you use CSRF only on URLs which need it (have CSRF vulnerability e.g. transactions)  and these URLs to the Protected URLs list in ASM CSRF screen.&nbsp;
Secondly: &nbsp;
Version 11.5.4 has a known CSRF bug (ID474256) causing False Positive, more information here&nbsp;
https://cdn.f5.com/product/bugtracker/ID474256.html&nbsp;
So if you are affected (CSRF protection is needed in frames) then you need to upgrade to v12.x&nbsp;

Forum Discussion

CSRF protection blocks the whole website instead of csrf attacks only

2 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Beyond REST: Protecting GraphQL

L7 DoS Protection with NGINX App Protect DoS

Managing NGINX App Protect WAF for Beginners

F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions

Troubeshooting website connection