Bug ID 474256: False positive CSRF violations

Last Modified: Mar 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9

Fixed In:
12.0.0

Opened: Aug 03, 2014
Severity: 4-Minor

Symptoms

A CSRF script does not iterate over frame links, causing a false positive CSRF violation.

Impact

A false positive CSRF violation.

Conditions

CSRF is turned on a system that has frame links.

Workaround

You can workaround this issue by using the URL list in the CSRF protection configuration.

Fix Information

The system now adds the CSRF token to frame links, fixing a false positive CSRF violation issue.

Behavior Change