Fortinet black logo

User Guide

Account Takeover

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:314420
Download PDF

Account Takeover

Account takeover feature allows you to detect and protect against account takeover threats. FortiWeb Cloud tracks the authentication URL to your website and identifies all user access. Attack logs will reference the username and additional protection capabilities such as Credential Stuffing Protection and Session Fixation Protection.

FortiWeb Cloud uses a user tracking rule to track users. When FortiWeb Cloud detects users that match the criteria you specify in the user tracking rule, it stores the session ID and username.

FortiWeb Cloud tracks only users who have logged in successfully. It uses one of the following methods to determine whether a log in is successful:

  • The response matches a condition you specify in the user tracking rule, such as a return code, a specific redirect URL or a string in the response body. You create these conditions in Authentication Successful Condition.
  • If the response does not match a condition in Authentication Successful Condition, FortiWeb Cloud uses the default results failed.

FortiWeb Cloud stops tracking users when either of the following two events occur:

  • The client request contains the log off URL that you specify in the user tracking rule. (The log off URL setting is optional.)
  • The session is idle for longer than the session timeout value 14400 seconds.

To configure a user tracking rule

  1. Go to ACCOUNT TAKEOVER.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.

    Authentication URL

    Enter the URL to match in authorization requests.

    Ensure that the value begins with a forward slash ( / ).

    Log Off URL

    Optionally, enter the URL of the request that a client sends to log out of the application.

    When the client sends this URL, FortiWeb Cloud stops tracking the user session.

    Ensure that the value begins with a forward slash ( / ).

    Username Field

    Enter the username field value to match in authorization requests.

    Password Field

    Enter the password field value to match in authorization requests.

    Session ID Name

    Type the name of the session ID that is used to identify each session.

    Examples of session ID names are sid, PHPSESSID, and

    JSESSIONID.

    Authentication Successful Condition

    Return Code

    Enter the value of the return code when the authentication is successful. It should be a regular expression.

    Redirect URL

    Enter the redirect URL when the authentication is successful. It should be a regular expression.

    Response Body

    The response body when the authentication is successful. It should be a regular expression.

    Credential Stuffing

    Protection

    Enable to use FortiGuard's Credential Stuffing Defense database to prevent against Credential Stuffing attacks. When this setting is enabled, FortiWeb Cloud will evaluate the username (Username Field) and password (Password Field) of the matched login requests against the Credential Stuffing Defense database to identify whether the paired username/password has been spilled.

    Session Fixation Protection

    Enable to configure FortiWeb Cloud to erase session IDs from the cookie and argument fields of a matching login request.

    FortiWeb Cloud erases the IDs for non-authenticated sessions only.

    For web applications that do not renew the session cookie when a user logs in, it is possible for an attacker to trick a user into authenticating with a session ID that the attacker acquired earlier.

    This feature prevents the attacker from accessing the web app in an authenticated session.

    When this feature removes session IDs, FortiWeb Cloud does not generate a log message because it is very common for a legitimate user to access a web application using an existing cookie. For example, a client who leaves his or her web browser open between sessions presents the cookie from an earlier session.

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  4. Click SAVE.

Account Takeover

Account takeover feature allows you to detect and protect against account takeover threats. FortiWeb Cloud tracks the authentication URL to your website and identifies all user access. Attack logs will reference the username and additional protection capabilities such as Credential Stuffing Protection and Session Fixation Protection.

FortiWeb Cloud uses a user tracking rule to track users. When FortiWeb Cloud detects users that match the criteria you specify in the user tracking rule, it stores the session ID and username.

FortiWeb Cloud tracks only users who have logged in successfully. It uses one of the following methods to determine whether a log in is successful:

  • The response matches a condition you specify in the user tracking rule, such as a return code, a specific redirect URL or a string in the response body. You create these conditions in Authentication Successful Condition.
  • If the response does not match a condition in Authentication Successful Condition, FortiWeb Cloud uses the default results failed.

FortiWeb Cloud stops tracking users when either of the following two events occur:

  • The client request contains the log off URL that you specify in the user tracking rule. (The log off URL setting is optional.)
  • The session is idle for longer than the session timeout value 14400 seconds.

To configure a user tracking rule

  1. Go to ACCOUNT TAKEOVER.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.

    Authentication URL

    Enter the URL to match in authorization requests.

    Ensure that the value begins with a forward slash ( / ).

    Log Off URL

    Optionally, enter the URL of the request that a client sends to log out of the application.

    When the client sends this URL, FortiWeb Cloud stops tracking the user session.

    Ensure that the value begins with a forward slash ( / ).

    Username Field

    Enter the username field value to match in authorization requests.

    Password Field

    Enter the password field value to match in authorization requests.

    Session ID Name

    Type the name of the session ID that is used to identify each session.

    Examples of session ID names are sid, PHPSESSID, and

    JSESSIONID.

    Authentication Successful Condition

    Return Code

    Enter the value of the return code when the authentication is successful. It should be a regular expression.

    Redirect URL

    Enter the redirect URL when the authentication is successful. It should be a regular expression.

    Response Body

    The response body when the authentication is successful. It should be a regular expression.

    Credential Stuffing

    Protection

    Enable to use FortiGuard's Credential Stuffing Defense database to prevent against Credential Stuffing attacks. When this setting is enabled, FortiWeb Cloud will evaluate the username (Username Field) and password (Password Field) of the matched login requests against the Credential Stuffing Defense database to identify whether the paired username/password has been spilled.

    Session Fixation Protection

    Enable to configure FortiWeb Cloud to erase session IDs from the cookie and argument fields of a matching login request.

    FortiWeb Cloud erases the IDs for non-authenticated sessions only.

    For web applications that do not renew the session cookie when a user logs in, it is possible for an attacker to trick a user into authenticating with a session ID that the attacker acquired earlier.

    This feature prevents the attacker from accessing the web app in an authenticated session.

    When this feature removes session IDs, FortiWeb Cloud does not generate a log message because it is very common for a legitimate user to access a web application using an existing cookie. For example, a client who leaves his or her web browser open between sessions presents the cookie from an earlier session.

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  4. Click SAVE.