Cross-site request forgery (CSRF) is an attack that exploits the trust that a site has in a user's browser to transmit unauthorized commands.
The CRSF protection feature is not supported when the operation mode is offline protection or transparent inspection.
To protect back-end servers from CSRF attacks, you create two lists of items: a list of web pages to protect against CSRF attacks, and a corresponding list of the URLs found in the requests that the pages generate.
tknfv(the anti-CSRF token) to any HTML link elements that have the href attribute (
<a href>) and HTML form elements. Subsequent requests that these HTML elements generate contain the
tknfvparameter. The parameter has the value of the cookie issued by FortiWeb Session Management.
tknfvparameter, based on the web pages that you specified. When these URLs appear in requests without the
tknfvparameter, or the parameter does not match the cookie value for the session, FortiWeb takes the action you specify in the CSRF protection rule.
Create your configuration carefully, making sure that all the URLs in the list have corresponding entries in the page list, and that Session Management is enabled in the protection profile that uses the rule. When FortiWeb checks requests for the token but has not added the script to the corresponding web page, it blocks or takes other action against the request.
For example, a web page in the list of pages contains the following
<a href> element:
Therefore, to make the feature work for this web page, you add
/csrf_test1.php to the list of URLs.
For an example using an HTML form element, the web page
csrf_login.html contains the following form:
<form name="do_some_action" id="form1" action="csrf_test2.php" method="GET">
<input type="text" name="username" value=""/>
<Input type="text" name="password" value=""/>
<input type="submit" value="do Action"/>
This form generates the following request when the page is added to the list of pages protected by a CSRF protection policy:
In this case, you add
csrf_login.html to the list of pages and
/csrf_check2.php to the list of URLs.
To avoid this issue, you create unique Page List Table and URL List Table items by adding a parameter filter to them. The parameter filter allows you to add additional criteria to match in the URL or HTTP body of a request.
For example, in the following form element, the parameters are in the body of the HTTP request, not the URL:
<form action="post.asp" enctype="MULTIPART/FORM-DATA" method="POST">
<input TYPE="FILE" NAME="FILE1"＞
<input TYPE="TEXT" NAME="TEXT1" VALUE="HELLO">
<input TYPE="SUBMIT" NAME="SUB1" VALUE="Upload File">
To allow FortiWeb to correctly recognize the POST request as one that should contain the anti-CSRF token, add a filter that checks for a parameter in the HTTP body to the corresponding URL List Table item. If the request for
post.asp does not contain the parameter specified in the URL List Table item, FortiWeb can instead match it with a
You can also match a parameter in the URL. For example, the request to match has the following URL:
Request Type – Simple String
Full URL –
Parameter Filter – Selected
Parameter Name –
Parameter Value Type – Regular Expression
Parameter Value –
The parameter value * (asterix) matches any value.
If the feature is not working properly, ensure the following:
1. Go to Web Protection > Advanced Protection > CSRF Protection.
2. Click Create New, then configure these settings:
|Name||Enter a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters.|
Select which action FortiWeb takes when it detects a missing or incorrect anti-CSRF parameter:
The default value is Alert.
Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects a CSRF attack.
This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 (1 hour). The default value is 60. See also Monitoring currently blocked IPs.
When FortiWeb records violations of this rule in the attack log, each log message contains a Severity Level (
The default value is Low.
|Trigger Action||Select the trigger, if any, that FortiWeb uses when it logs or sends an alert email about a CSRF attack. See Viewing log messages.|
3. Click OK.
4. Under Page List Table, click Create New, and then configure these settings:
Enable to apply this rule only to HTTP requests for specific web hosts. Also configure Host.
Disable to match the rule based on the URL and any parameter filter only.
Select a protected host names entry (either a web host name or IP address) that the
This option is available only if Host Status is enabled.
Select whether Full URL contains a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
Enter either a literal URL or regular expression.
|Parameter Filter||Select to specify a parameter name and value to match. The parameter can be located in either the URL or the HTTP body of a request.
For more information, see Parameter filters.
|Parameter Name||Enter the parameter name to match.|
|Parameter Value Type||Select whether Parameter Value contains a literal URL (Simple String), or a regular expression designed to match multiple values (Regular Expression).|
|Parameter Value||Enter either a literal URL or regular expression.
To match any parameter value, for Parameter Value Type, select Regular Expression, and enter
5. Click OK.
6. Add any additional web pages that you want to protect.
7. Under URL List Table, click Create New, and then configure the settings.
The settings for adding a URL list item are the same as the ones that you use to add a page list item.
8. Click OK.
9. To apply the rule, in an inline protection profile, ensure Session Management is selected, and then select the CSRF protection rule (see Configuring a protection profile for inline topologies).
Open topic with navigation