Fortinet black logo

Handbook

Configuring JSON detection

Configuring JSON detection

Hackers sometimes try to exploit vulnerabilities in JSON data in HTTP POST operations to attack web servers. You can configure FortiADC's web application firewall (WAF) to enforce security checks that examine client HTTP requests for anomalies in JSON data in HTTP POST operations. This ensures that JSON data reaching web servers is well-formed. Some of the security protections include:

  • Running format checks on requests containing JSON data in HTTP POST operations to protect potential security holes.
  • Imposing JSON parsing limits to protect against denial-of-service (DOS) attacks.
  • Performing JSON cross-site scripting (XSS) checks and JSON SQL Injection checks.

JSON Check Chain illustrates how HTTP packets containing JSON can be examined via sequence detection when JSON detection is configured.

JSON Check Chain

JSON checks are composed of four parts, and each one carries out a single detection function:

  • Format Check—Executes JSON format detection sub-module (JSON-FDM).
  • Limit Check—Executes JSON limit detection sub-module (JSON-LDM).
  • SQL Injection Detection—Executes JSON cross-site scripting detection sub-module (JSON-XSSDM).
  • XSS Detection—Executes JSON cross-site scripting detection sub-module (JSON-SIDM).

Before you begin, you must:

To configure JSON Detection:
  1. Go to Web Application Firewall > API Protection and select the JSON Detection tab.
  2. Click Create New.
  3. Complete the configuration as described in JSON Detection.
  4. Click Save.

JSON Detection

Settings Guidelines
Name Enter the name of the JSON Detection profile. You will use the name to select the JSON Detection profile in WAF profiles. No spaces.
JSON Format Checks Enable to configure security checks for incoming HTTP requests to determine whether they are well-formed. You can set FortiADC response actions to malformed HTTP requests below.
JSON Limit Checks

Enable to enforce parsing limits to protect web servers from attacks such as DOS attacks. If enabled, you may change the configuration for the following parameters:

  • Limit Max Array Value
  • Limit Max Depth
  • Limit Max Object Member
  • Limit Max String
Limit Max Array Value Limits the maximum number of values within a single array. The default value is 256. The valid range is 0–4096. Available only when JSON Limit Checks is enabled.
Limit Max Depth Limits the maximum depth in a JSON value. The default value is 16. The valid range is 0–4096. Available only when JSON Limit Checks is enabled.
Limit Max Object Member Limits the number of members in a JSON object. The default value is 64. The valid range is 0–4096. Available only when JSON Limit Checks is enabled.
Limit Max String Limits the length of a string in a JSON request for a name or a value. The default value is 64. The valid range is 0–4096. Available only when JSON Limit Checks is enabled.
JSON Xss Checks Enable to examine the bodies of incoming JSON requests that might indicate possible cross-site scripting attacks. If the request contains a positive match, FortiADC responds with the corresponding action selected below.
JSON SQL Injection Checks Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords that might indicate an SQL injection attack. If the request contains a positive match, FortiADC responds with the corresponding action selected below.
Severity

Set the severity level in WAF logs of potential attacks detected by the JSON Detection profile. Select from one of the following options:

  • High
  • Medium
  • Low
Action

Select the action profile that you want to apply. See Configuring WAF Action objects.

The default is Alert.

Exception Name Optional. Select the exception profile that you want to apply to the JSON Detection profile. See Configuring WAF Exception objects.

Configuring JSON detection

Hackers sometimes try to exploit vulnerabilities in JSON data in HTTP POST operations to attack web servers. You can configure FortiADC's web application firewall (WAF) to enforce security checks that examine client HTTP requests for anomalies in JSON data in HTTP POST operations. This ensures that JSON data reaching web servers is well-formed. Some of the security protections include:

  • Running format checks on requests containing JSON data in HTTP POST operations to protect potential security holes.
  • Imposing JSON parsing limits to protect against denial-of-service (DOS) attacks.
  • Performing JSON cross-site scripting (XSS) checks and JSON SQL Injection checks.

JSON Check Chain illustrates how HTTP packets containing JSON can be examined via sequence detection when JSON detection is configured.

JSON Check Chain

JSON checks are composed of four parts, and each one carries out a single detection function:

  • Format Check—Executes JSON format detection sub-module (JSON-FDM).
  • Limit Check—Executes JSON limit detection sub-module (JSON-LDM).
  • SQL Injection Detection—Executes JSON cross-site scripting detection sub-module (JSON-XSSDM).
  • XSS Detection—Executes JSON cross-site scripting detection sub-module (JSON-SIDM).

Before you begin, you must:

To configure JSON Detection:
  1. Go to Web Application Firewall > API Protection and select the JSON Detection tab.
  2. Click Create New.
  3. Complete the configuration as described in JSON Detection.
  4. Click Save.

JSON Detection

Settings Guidelines
Name Enter the name of the JSON Detection profile. You will use the name to select the JSON Detection profile in WAF profiles. No spaces.
JSON Format Checks Enable to configure security checks for incoming HTTP requests to determine whether they are well-formed. You can set FortiADC response actions to malformed HTTP requests below.
JSON Limit Checks

Enable to enforce parsing limits to protect web servers from attacks such as DOS attacks. If enabled, you may change the configuration for the following parameters:

  • Limit Max Array Value
  • Limit Max Depth
  • Limit Max Object Member
  • Limit Max String
Limit Max Array Value Limits the maximum number of values within a single array. The default value is 256. The valid range is 0–4096. Available only when JSON Limit Checks is enabled.
Limit Max Depth Limits the maximum depth in a JSON value. The default value is 16. The valid range is 0–4096. Available only when JSON Limit Checks is enabled.
Limit Max Object Member Limits the number of members in a JSON object. The default value is 64. The valid range is 0–4096. Available only when JSON Limit Checks is enabled.
Limit Max String Limits the length of a string in a JSON request for a name or a value. The default value is 64. The valid range is 0–4096. Available only when JSON Limit Checks is enabled.
JSON Xss Checks Enable to examine the bodies of incoming JSON requests that might indicate possible cross-site scripting attacks. If the request contains a positive match, FortiADC responds with the corresponding action selected below.
JSON SQL Injection Checks Enable to examine the bodies of incoming requests for inappropriate SQL characters and keywords that might indicate an SQL injection attack. If the request contains a positive match, FortiADC responds with the corresponding action selected below.
Severity

Set the severity level in WAF logs of potential attacks detected by the JSON Detection profile. Select from one of the following options:

  • High
  • Medium
  • Low
Action

Select the action profile that you want to apply. See Configuring WAF Action objects.

The default is Alert.

Exception Name Optional. Select the exception profile that you want to apply to the JSON Detection profile. See Configuring WAF Exception objects.