Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF

Cross-Site Request Forgery (CSRF) is an attack where an attacker tricks an authenticated user into executing unwanted actions on a web application where the user is already logged in. This exploit leverages the trust that the application has in the user's browser.

CSRF protection is essential to prevent unauthorized requests from being executed on behalf of a user without their knowledge. F5 ASM (Application Security Manager) / AWAF (Advanced Web Application Firewall) offers several enforcement options to protect against CSRF attacks using a combination of client-side and server-side methods.

Global CSRF Protection Methods:

Client-Side Protection:

  1. Same-Site Cookies

    • Description: The SameSite cookie attribute restricts how cookies are sent with cross-site requests. It can prevent cookies from being sent with requests from unknown or untrusted sites, thus helping to mitigate CSRF attacks.

    • Modes:

      • SameSite=Strict: Cookies are only sent if the request originates from the same domain.

      • SameSite=Lax: Cookies are sent with same-site requests and some cross-site requests (like top-level navigation).

      • SameSite=None: Cookies are sent with all requests, including cross-site.

  2. White-listing Expected Origins

    • Description: The system can be configured to allow only requests from trusted and pre-defined Origins. This limits where requests can be made from, mitigating the risk of unauthorized cross-site requests.

    • Use Case: Only requests from specific domains, such as your own website or known partners, will be allowed to interact with the application.

  3. Allowed Referer Lists

    • Description: This method checks the Referer header in the request to ensure that the request originates from an allowed domain. If the Referer header is missing or does not match the trusted domains, the request is blocked.

    • Effect: Helps prevent requests coming from suspicious or malicious sources by verifying the origin of the request.

Server-Side Protection:

  1. CSRF Tokens

    • Description: A CSRF Token is a unique, secret value generated by the server and embedded in the web page or application. The server validates this token with each request to ensure it matches the one originally issued, proving the request is legitimate and not forged.

    • F5-ASM Implementation:

      • F5 ASM can insert a CSRF token into application URLs using JavaScript injection.

      • If the request is received without the valid token, the request is blocked.

      • The token expiration can be configured (from 1 to 99,999 seconds, default: 600 seconds), preventing token hijacking.

  2. Two-Factor Authentication (2FA)

    • Description: Implementing Two-Factor Authentication adds an extra layer of security by requiring a second form of verification (usually through an SMS code, authentication app, or hardware token).

    • Effect: Even if an attacker manages to trigger a CSRF attack, they would still need the second factor (e.g., a one-time password) to complete the malicious request.

  3. JSON Web Tokens (JWT)

    • Description: JWT is a compact, URL-safe token format used to securely transmit information between the server and client. JWTs can be used to protect web applications from CSRF by including them in HTTP request headers and validating their authenticity.

    • Effect: The application checks the JWT for validity before processing the request. This adds an extra layer of security and helps ensure that the request comes from an authenticated user.

F5-ASM / AWAF CSRF Enforcement Options:

  1. Verify CSRF Token

    • Description: F5 ASM can insert a CSRF Token into application URLs using JavaScript injection.

    • Action: Any request that does not have a valid CSRF token will be blocked. This helps ensure that malicious requests, which don't contain the proper token, cannot manipulate the application.

    • Token Expiration: To prevent token hijacking, the system tracks the token expiration time. Tokens typically expire after a set period (default 600 seconds, but configurable). This ensures the token remains valid only for a limited time to reduce the risk of interception.

  2. Verify Origin

    • Description: This enforcement option checks for a valid Origin Header in requests. The Origin Header indicates the origin (scheme, host, and port) of the request and is essential for preventing CSRF attacks that lack an origin.

    • Action: If the request lacks a valid Origin Header, the system will block the request, as it is likely a CSRF attack trying to exploit an authenticated session.

    • AJAX Request Protection: This method is particularly useful for protecting AJAX requests, as they always include an Origin Header.

    • No JavaScript Injection: If the system detects that the protected URLs are configured with Verify Origin, it will not use JavaScript injection to insert tokens, since the Origin Header already provides sufficient protection.

    • Violation: If a request without a valid Origin Header is detected, a "CSRF Attack Detected" violation is logged.

Summary of CSRF Protection Methods in F5 ASM/AWAF:

Protection Method

Description

CSRF Token Verification

Inserts and verifies unique tokens with each request to prevent CSRF attacks.

Same-Site Cookies

Restricts cookies from being sent in cross-site requests, mitigating CSRF.

White-listing Origins

Only allows requests from trusted sources or domains to prevent malicious requests.

Referer Header Check

Ensures requests originate from expected domains by verifying the Referer header.

Two-Factor Authentication

Adds an extra layer of verification, reducing the risk of CSRF attacks.

JWT (JSON Web Tokens)

Uses secure, verified tokens in HTTP requests to ensure they are legitimate.

Verify Origin

Validates the Origin Header to ensure requests come from allowed origins.

By implementing these methods, F5 ASM/AWAF provides robust protection against CSRF attacks, ensuring that only legitimate requests, made by authenticated users, are processed by the application.

PreviousIP Address Exception Properties in ASM/AWAFNextSensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF

Last updated 3 months ago