config : waf padding-oracle
 
waf padding-oracle
Use this command to create a policy that protects vulnerable block cipher implementations for web applications that selectively encrypt inputs without using HTTPS.
To apply this policy, include it in an inline web or offline protection profile. For details, see “config waf web-protection-profile inline-protection” or “config waf web-protection-profile offline-protection”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf padding-oracle
edit <padding-oracle_rule_name>
set action {alert | alert_deny | block-period}
set block-period <block-period_int>
set severity {High | Medium | Low}
set trigger <trigger-policy_name>
config protected-url-list
edit <entry_index>
set host-status {enable | disable}
set host <host_str>
set url-type {plain | regular}
set protected-url <protected-url_str>
set target {cookie parameter url}
end
next
end
Variable
Description
Default
<padding-oracle_rule_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing policies, type:
edit ?
No default.
{alert | alert_deny | block-period}
Specify the action that FortiWeb takes when a request violates the rule:
alert — Accept the request and generate an alert email and/or log message.
alert_deny — Block the request (reset the connection) and generate an alert and/or log message.
block-period — Block subsequent requests from the client for a number of seconds. Also configure block-period.
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, define an X-header that indicates the original client’s IP (see “waf x-forwarded-for”). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.
Attack log messages contain Padding Oracle Attack when this feature detects a possible attack. Because this attack involves some repeated brute force, the attack log may not appear immediately, but should occur within 2 minutes, depending on your configured DoS alert interval.
Caution: This setting is ignored if the value of monitor-mode is enabled. See
Note: Logging and/or alert email occur only when the these features are enabled and configured. See “Logging” and “Alert email”. See
Note: To use this rule set with auto-learning, select alert. If action is alert_deny or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the session information for auto-learning will be incomplete.
alert
<block-period_int>
Type the number of seconds that FortiWeb blocks subsequent requests from the client after it detects that the client has violated the rule.
This setting is available only if action is block-period.
The valid range is from 1 to 4,294,967,295.
1
{High | Medium | Low}
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Specify the severity level FortiWeb uses when it logs a violation of this rule.
Medium
<trigger-policy_name>
Type the name of the trigger policy, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a violation of the rule. See “config log trigger-policy”.
To display the list of existing triggers, type:
set trigger ?
No default.
<entry_index>
Type the index number of the individual entry in the table. The valid range is from 1 to 9,999,999,999,999,999,999.
No default.
host-status {enable | disable}
Specify enable to apply this rule only to HTTP requests for specific web hosts. Also specify host.
Specify disable to match the rule based on the other criteria, such as the URL, but regardless of the Host: field.
disable
<host_str>
Specify which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the rule.
This option is available only if the value of host-status is enabled.
Maximum length is 255 characters.
No default.
{plain | regular}
Specify how the value of protected-url is specified:
plain — A literal URL.
regular — A regular expression designed to match multiple URLs.
plain
<protected-url_str>
If the value of url-type is plain, specify the literal URL that HTTP requests that match the rule contain.
For example:
/profile.jsp
The URL must begin with a backslash ( / ).
If the value of url-type is regular, specify a regular expression matching all and only the URLs to which the rule should apply.
For example:
^/*\.jsp\?uid\=(.*)
The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /profile.cfm.
Do not include the domain name, such as www.example.com, which is specified by host.
Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide.
No default.
{cookie parameter url}
Specify which parts of the client’s requests FortiWeb examines for padding attack attempts:
url — A URL (for example, the parameter /user/0000012FE03BC2 is embedded in the URL).
parameter — A parameter (for example, the parameter /index.php?user=0000012FE03BC2 appended to a traditional GET or POST body).
cookie — A cookie.
parameter
Example
This example illustrates a padding oracle rule that blocks requests to the host www.example.com when a parameter appended in a traditional GET URL parameter or POST body matches the specified regular expression. When a request matches the expression, FortiWeb logs or sends a high-severity message as specified in the notification-servers1 trigger policy.
config waf padding-oracle
edit padding-oracle1
set action block-period
set block-period 3600
set severity High
set trigger notification-servers1
config protected-url-list
edit 1
set host-status enable
set host www.example.com
set url-type regular
set protected-url \/profile\.jsp\?uid\=(.*)
set target parameter
end
Related topics
config waf web-protection-profile inline-protection
config waf web-protection-profile offline-protection