Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
14.0.0, 13.1.0, 13.0.0
Fixed In:
14.1.0
Opened: Apr 22, 2018 Severity: 3-Major
When the cross-site request forgery (CSRF) protection URL list is of a total size that is greater than 2 KB. As a result, CSRF injection fails.
CSRF false-positive violation.
- CSRF protection is enabled. - The total length of the defined CSRF URL list is more than 2 KB. - A protected URL is accessed.
Use wildcards to minimize total CSRF URL size.
Increased the default maximum total CSRF URL list size to 5 KB and added the internal parameter csrf_dyn_params_buffer_size in case further adjustment is needed.