Forum Discussion
It is CSRF.
Check solution sol11885
http://support.f5.com/kb/en-us/solutions/public/11000/800/sol11885.html
"When the CSRF protection feature is enabled, the BIG-IP ASM system injects 3KB of custom JavaScript into HTML responses. The injected JavaScript is intended to alter embedded links to include the CSRT token used by the CSRF feature, thereby allowing the BIG-IP ASM to verify the integrity of subsequent requests. Due to the inconsistent manner in which form action URLs are coded within web applications to support various browsers, some browsers may be unable to interpret some pages after the JavaScript has been added. For example, if you enable CSRF protection, client browsers may display the login page incorrectly, and the JavaScript buttons intended to allow users to submit their credentials may not function as expected. As a result, users may be unable to access the application"....
You can limit CSRF protection to specific URLs only (or disable it completely if your application is not vulnerable to CSRF)
Regards, Sam