Forum Discussion

Ongko_8903's avatar
Jul 07, 2014

Do anyone know which feature in ASM module inject these scripts and how to change it ?

Dear All,

 

Recently my company implements AB testing. We embed their script, but there is an error on that script. My vendor said this error occurs because somehow these scripts manipulating my XHR prototype.

 

Below is the code snippet of these script :

 

These scripts will globally modified ajax request method from GET to OPTIONS (using pre-flighted CORS) and it will affecting my vendor script. Do anyone know which ASM module inject these scripts, and how to solve this problem ?

 

ps : Sorry if i attach the code by image, before that i try to use < code > tag, but it didn't worked

 

regards, ongko

 

10 Replies

  • It is CSRF.

     

    Check solution sol11885

     

    http://support.f5.com/kb/en-us/solutions/public/11000/800/sol11885.html

     

    "When the CSRF protection feature is enabled, the BIG-IP ASM system injects 3KB of custom JavaScript into HTML responses. The injected JavaScript is intended to alter embedded links to include the CSRT token used by the CSRF feature, thereby allowing the BIG-IP ASM to verify the integrity of subsequent requests. Due to the inconsistent manner in which form action URLs are coded within web applications to support various browsers, some browsers may be unable to interpret some pages after the JavaScript has been added. For example, if you enable CSRF protection, client browsers may display the login page incorrectly, and the JavaScript buttons intended to allow users to submit their credentials may not function as expected. As a result, users may be unable to access the application"....

     

    You can limit CSRF protection to specific URLs only (or disable it completely if your application is not vulnerable to CSRF)

     

    Regards, Sam

     

  • Thanks Sam,

     

    I'm on 11.4.0, but i will try to disable CSRF protection and check if the javascript still embedded.

     

    regards,

     

    Ongko

     

  • Dear Sam,

     

    the configuration didn't do anything. In blocking configuration, i already un-checked CSRF attack detected and CSRF authentication expired, I also un-checked CSRF Protection.

     

    The javascript code still embedded.

     

    Do you have any other clue ?

     

    regards,

     

    Ongko

     

  • There are many features on ASM that inject javascript into responses:

     

    1) Analytics profile on the virtual server tracking page load time

     

    2) CSRF protection (as Sam pointed out)

     

    3) Anomaly>Web Scraping feature

     

    4) DoS protection profile using "client-side integrity defense" settings

     

  • Thanks Scott,

     

    I don't use Analytics profile, so i will try number 3 and 4.

     

  • For anyone else who comes across this - it took me forever to find this settings because it's pretty buried. There's a few things in ASM that cause javascript injection:

     

    1. CSRF protection
    2. Web-Scraping detection
    3. AJAX blocking

    It turns out that this is related to AJAX blocking, as I also had disabled the CSRF protection and I was still getting this injected into my pages, which was breaking a particular browser. When you first go to create your security policy, there's an option that you can check - AJAX blocking response behavior? This is going to inject that javascript in your pages.

     

    In ASM 11.6.x, you can disable this setting by going to Security > Application Security > Blocking > Response Pages. Then you select the AJAX Response page from the tabs and uncheck the box.

     

    Yes, this even injects the javascript if your policy is set to transparent mode! Yes, it's completely stupid!

     

    Hope this helps, it caused me a ton of frustration.

     

    • ScottyMac_23789's avatar
      ScottyMac_23789
      Icon for Nimbostratus rankNimbostratus
      Awesome. I had this exact same problem and thought that CSRF was off, but the code was still injected. Changed the suggested AJAX setting and the code was removed. Thanks a ton for your help!
    • MSZ's avatar
      MSZ
      Icon for Nimbostratus rankNimbostratus

      By Doing this, Is there any impact on the application ? I think support ID will not be displayed in this case.

       

  • If CSRF is unchecked but this code chunk is still injected from the AJAX setting, is this code actually providing any protection?