config : waf hidden-fields-rule
 
waf hidden-fields-rule
Use this command to configure hidden field rules.
Hidden form inputs, like other types of parameters and inputs, can be vulnerable to tampering and can be used as a vector for other attacks.
Unlike other inputs, they are often written into an HTML page by the web server when it serves that page to the client, and are not visible on the rendered web page. As such, they are difficult to for users to unintentionally modify, and are often incorrectly perceived as relatively safe by web site owners.
Like other inputs, however, they are accessible through the JavaScript document object model (DOM), and as inputs, can be used to inject invalid data into your databases or attempt to tamper with the session state.
Hidden field rules prevent such tampering. The FortiWeb appliance caches the values of a session’s hidden inputs as they pass to the HTTP client, and verifies that they remain unchanged when the HTTP client submits a form.
You apply hidden field constraints by first grouping them into a hidden field group. For details, see “config waf hidden-fields-protection”.
Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see “config server-policy allow-hosts”.
 
Alternatively, you can use the web UI to fetch the request URL from the server and scan it for hidden inputs, using the results to configure the hidden input rule. For details, see the FortiWeb Administration Guide.
 
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf hidden-fields-rule
edit <hidden-field-rule_name>
set action {alert | alert_deny | redirect | block-period | send_403_forbidden}
set block-period <seconds_int>
set host <protected-hosts_name>
set host-status {enable | disable}
set request-file <url_str>
set action-url0 <url_str>
set action-url1 <url_str>
set action-url2 <url_str>
set action-url3 <url_str>
set action-url4 <url_str>
set action-url5 <url_str>
set action-url6 <url_str>
set action-url7 <url_str>
set action-url8 <url_str>
set action-url9 <url_str>
set severity {High | Medium | Low}
set trigger <trigger-policy_name>
config hidden-field-name
edit <entry_index>
set argument <hidden-field_str>
next
end
next
end
Variable
Description
Default
<hidden-field-rule_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing rules, type:
edit ?
No default.
action {alert | alert_deny | redirect | block-period | send_403_forbidden}
Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the hidden field rules in the entry:
alert — Accept the request and generate an alert email and/or log message.
alert_deny — Block the request (or reset the connection) and generate an alert email and/or log message.
You can customize the web page that FortiWeb returns to the client with the HTTP status code. See the FortiWeb Administration Guide or “system replacemsg”.
block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.
redirect — Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url <redirect_fqdn> and rdt-reason {enable | disable}.
send_403_forbidden — Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.
Note: Logging and/or alert email will occur only if enabled and configured. See “config log disk” and “config log alertemail”.
Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For more information on auto-learning requirements, see “config waf web-protection-profile autolearning-profile”.
alert
block-period <seconds_int>
If action is block-period, type the number of seconds that the connection will be blocked. The valid range is from 1 to 3,600 seconds.
0
host <protected-hosts_name>
Type the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 255 characters.
This setting applies only if host-status is enable.
No default.
host-status {enable | disable}
Enable to apply this hidden field rule only to HTTP requests for specific web hosts. Also configure host <protected-hosts_name>.
Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.
disable
request-file <url_str>
Type the literal URL, such as /login.jsp, that contains the hidden form.
The URL must begin with a slash ( / ). Do not include the name of the web host, such as www.example.com, which is configured separately in host <protected-hosts_name>. Regular expressions are not supported. The maximum length is 255 characters.
No default.
action-url0 <url_str>
Add up to 10 URLs that are valid to use with the HTTP POST method when the client submits the form containing the hidden fields in this rule.
No default.
action-url1 <url_str>
action-url2 <url_str>
action-url3 <url_str>
action-url4 <url_str>
action-url5 <url_str>
action-url6 <url_str>
action-url7 <url_str>
action-url8 <url_str>
action-url9 <url_str>
severity {High | Medium | Low}
Select the severity level to use in logs and reports generated when a violation of the rule occurs.
High
trigger <trigger-policy_name>
Type the name of the trigger to apply when this rule is violated (see “config log trigger-policy”). The maximum length is 35 characters.
To display the list of existing trigger policies, type:
set trigger ?
No default.
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
argument <hidden-field_str>
Type the name of the hidden form input, such as languagepref. The maximum length is 35 characters.
No default.
Example
This example blocks and logs requests from search.jsp if its hidden form input, whose name is “languagepref”, is posted to any URL other than query.do.
config waf hidden-fields-rule
edit "hidden_fields_rule1"
set action alert_deny
set request-file "/search.jsp"
set action-url0 "/query.do"
config hidden-field-name
edit 1
set argument "languagepref"
next
end
next
end
Related topics
config server-policy allow-hosts
config waf hidden-fields-protection
config log trigger-policy