Bug ID 752058: False positive CSRF violation for the URL with semicolon with explicit CSRF URL configuration

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,

Fixed In:

Opened: Dec 05, 2018

Severity: 3-Major


Requests containing semicolon ';' characters are blocked by an ASM policy that has explicit CSRF URL configured. An ASM blocking page listing a support ID is presented to the ASM end user.


Web application do not work as expected.


- ASM provisioned. - ASM configured on a virtual server. - ASM CSRF enabled and explicit URL configured.


Use a wildcard CSRF URL.

Fix Information

CSRF JavaScript code now handles the semicolon ';' character, as a path parameter separator, when it is at the end of the request URL.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips