F5 Big-IP: CSRF Protection for AJAX

TL;DR

Yes, F5’s Big-IP Application Security Manager (ASM) can protect against Cross-Site Request Forgery (CSRF) attacks on AJAX calls. However, it requires careful configuration of the HTTP policies and understanding how your application handles CSRF tokens.

Protecting AJAX Calls from CSRF with F5 Big-IP ASM

1. Understand Your Application’s CSRF Implementation: Before configuring Big-IP, know how your web application prevents CSRF attacks. Common methods include:
   • Synchronizer Token Pattern (STP): The server generates a unique token for each user session and includes it in forms and AJAX requests.
   • Double Submit Cookie: A random value is set as a cookie, and the same value must be included in request headers or data.
   • SameSite Cookies: Cookies are only sent with requests originating from the same site (modern browsers). This isn’t directly handled by Big-IP but complements other protections.
2. Create an HTTP Policy: In the Big-IP Configuration Utility, navigate to Security > Application Security > Policies and create a new HTTP policy.
3. Configure CSRF Protection Rule: Within your HTTP policy, add or modify a rule to detect and mitigate CSRF attacks. The specific configuration depends on your application’s method:
   • For Synchronizer Token Pattern (STP):
     1. Add a Parameter Check rule.
     2. Configure the rule to look for the expected CSRF token parameter name in either POST data or GET parameters.
     3. Set an appropriate action, such as Block or Redirect if the token is missing or invalid. You may need custom scripting (iRIS) for complex validation.
   • For Double Submit Cookie:
     1. Add a Header Check rule.
     2. Configure the rule to look for the expected CSRF cookie header.
     3. Set an appropriate action if the cookie is missing or doesn’t match data in the request body (again, iRIS may be needed).
4. Example Parameter Check Rule (STP): This example blocks requests without a CSRF token named ‘csrf_token’.

   Rule Name: Detect Missing CSRF Token
   Match Type: Header/Parameter
   Parameter Name: csrf_token
   Operator: Does Not Exist
   Action: Block

5. iRIS Custom Scripting (Advanced): For more complex validation, such as checking the token’s format or expiry, you can use iRIS scripting. This allows you to write custom code that runs within Big-IP to inspect and validate the CSRF token.

   Example: Validate a token against a server-side list (requires integration with your application’s backend).

6. Apply the HTTP Policy: Associate the HTTP policy with a Virtual Server that handles your web application traffic. This is done in Security > Application Security > Virtual Servers.
7. Test Your Configuration: Thoroughly test your CSRF protection configuration to ensure it doesn’t block legitimate AJAX requests while effectively blocking malicious ones.
   • Use tools like Burp Suite or OWASP ZAP to simulate CSRF attacks.
   • Verify that the Big-IP logs show blocked attempts for invalid tokens.
   • Ensure valid AJAX requests are processed correctly.
8. Monitor Logs: Regularly review the Big-IP ASM logs for any detected CSRF attacks or false positives. Adjust your configuration as needed.

Important Considerations:

• Big-IP acts as a defense layer, but it’s crucial to implement robust CSRF protection within your application itself.
• Keep your Big-IP software up to date with the latest security patches.
• Properly configure session management and cookie settings in both your application and Big-IP.