Bug ID 716324

Bug Tracker
ID 716324

Bug ID 716324: CSRF protection fails when the total size of the configured URL list is more than 2 KB

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.0.0, 13.1.0, 13.0.0

Fixed In:
14.1.0

Opened: Apr 22, 2018

Severity: 3-Major

Symptoms

When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.

Impact

CSRF false-positive violation.

Conditions

- CSRF protection is enabled. - The total length of the defined CSRF URL list is more than 2 KB. - A protected URL is accessed.

Workaround

Use wildcards to minimize total CSRF URL size.

Fix Information

Increased the default maximum total CSRF URL list size to 5 KB and added the internal parameter csrf_dyn_params_buffer_size in case further adjustment is needed.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips