Dear F5 Team, Our team did PoC of Cross-Site Request Forgery but it seemed that WAF cannot protect this attack. Our team said "For the CSRF protection, F5 will generate its own Javascript to browser. The problem is when I viewsource the webpage, all F5 JS are commented out, so it cannot work" Could you help us check how to make WAF against CSRF work? Thank you

not sure i understand you 100%. you say CSRF protection was enabled, but when it was checked in the browser the code that would make it work was commented out, so not active? that sounds very weird, are you very sure this was the case? did the person testing this actual try requests, was the token inserted in the URL? if it really didn't work, was it tried with different browsers? different versions? weren't there any special tools installed on the systems that were tested with that caused this? also you say you did a PoC, was that done with a F5 partner or F5 SE? have you contacted them about this?

We are also waiting for the answer from F5 guy that we did PoC together as well but that guy is still busy and he will be able to answer us again next week T_T. Anyway, our team that did PoC sent me some screenshots of what he has done; "The F5 configuration we have done: Enable blocking CSRF ![Image Text](/Portals/0/Users/149/93/211093/file1.PNG) Enable CSRF protection on the security.php link ![Image Text](/Portals/0/Users/149/93/211093/file2.PNG) Ensure this CSRF configuration affected correct Virtual Server.After configuration, some stranges we have got: The request to security.php link without token is not blocked (file3.png) ![Image Text](/Portals/0/Users/149/93/211093/file3.PNG) All F5 Javascripts are commented out when viewing the source-code of the page (file4.png) ![Image Text](/Portals/0/Users/149/93/211093/file4.PNG) The F5 CSRF token not generated to the security.php link."I think he already did try what your suggestions because after he saw your comments, he sent me the information above. By the way, we don't know if there is any special tool installed on the web server but i will check it later. Thank you

i would personally, certainly in a PoC, enable all three options in the blocking section for CSRF. i checked in my lab, get the same situation with the comment on the script blocks but it works fine. where exactly is the token expected where i doesn't show? remember there are cases where it isn't added specially in dynamically generated code.

Mr. Boneyward, This is the reply from our team after reading your comments " - I had tried enable all three options (alarm, learn, block) but it's not helped - This is not the dynamic generated code case (the security.php link is static in the homepage) - I wanna see the F5 CSRF token generated with the security.php link, but that not happened. And F5 no blocked CSRF violation when I access security.php without token. " Thank you

[BIG-IP 4000s] Failed to protect Crosse-Site Request Forgery

15 Replies

boneyard
MVP
Jul 16, 2015
i would advise you to read up on Cross Site Request Forgery and the mitigation of it.

https://en.wikipedia.org/wiki/Cross-site_request_forgery https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

in the end it comes down to the fact you don't have to protect a request that doesn't carry data.
IT_Support_-_EC
Nimbostratus
Jul 16, 2015
Thank you for your comment Mr. Boneyard,

After reading your comments, our team got a different opinion about the fact of no protecting a request that doesn't carry data and would like to share it with you (his tone may be a bit strong but please think of him as your close friend OK! Mr. Boneyard ^_^)

"The request without parameter doesn't carry data ? Hey man, you're very wrong about this. How's about data coming from HTTP headers ? like cookie, HTTP referer ? does that make sense ?

Let's talk about an application that have one link to delete the account: /delete.php, user can access this link to delete their account. Application recognized user based on their session_id (send along with their cookie). So, user just access this link (without any parameters) to delete their account. Hey, tell me, guy, does it "carry data" ? And how to protect CSRF on this link ?"

Thank you
boneyard
MVP
Jul 16, 2015
sure a HTTP GET / POST without parameters does indeed carry some data, but in general not enough on itself to perform transactions. that is normally done with parameters and that is what CSRF protection is designed for.

if you design your application as described above you have a situation (although not very common in my opinion) where the F5 CRSF protection doesn't protect you.

that is a limitation of the product. if you want a full proof solution specific for your situation you gotta build it yourself at lots of effort. a solution like F5 ASM will protect you with less effort but upto a point, it can't cover every possible situation.
IT_Support_-_EC
Nimbostratus
Jul 17, 2015
Thank you for your comment Mr. Boneyard,

Our team got what we wanted to know through your message and would like thank you for making us understand and helping us along the way with this case.

Thank you so much
- boneyard
  MVP
  Jul 17, 2015
  you are welcome, you can flag your question as answered if you feel it is.

Forum Discussion

[BIG-IP 4000s] Failed to protect Crosse-Site Request Forgery

15 Replies

Recent Discussions

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Portal Access to HTTPS resources slow

How to Implement 2 Way SSL in F5 LTM

Azure DP-100 Exam Questions

Related Content

How To Protect Your Applications from Cross Site Request Forgery (CSRF) with F5 Distributed Cloud

Cross Site Scripting (XSS) Exploit Paths

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

Knowledge sharing: Order of precedence for BIG-IP modules, ASM DDOS Protection, Bot Protection

Explore how F5 BIG-IP Advanced WAF protects against attacks on GraphQL API