Bug ID 761941: ASM does not remove CSRT token query parameter before forwarding a request to the backend server

Last Modified: Dec 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 15.1.0

Fixed In:
15.0.0, 14.1.0.6, 14.0.1.1, 13.1.3

Opened: Mar 19, 2019
Severity: 3-Major

Symptoms

CSRT query parameter observed in tcpdump on the BIG-IP system's server side.

Impact

Backend app gets CSRT parameter, which might impact its business logic.

Conditions

-- ASM provisioned. -- ASM policy attached to a virtual server. -- CSRF enabled in ASM policy.

Workaround

You can remove a CSRT query parameter using a URI modification iRule on the server side.

Fix Information

The system now removes the csrt query parameter before forwarding a request to the backend server

Behavior Change