Fortinet black logo

User Guide

MITB Protection

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:382384
Download PDF

MITB Protection

The Man-in-the-Browser (MITB) attack uses Trojan Horse to intercept and manipulate calls between the browser and its security mechanisms or libraries on-the-fly. The Trojan Horse sniffs or modifies transactions as they are formed on the browser, but still displays back the user's intended transaction. The most common objective of this attack is to cause financial fraud by manipulating transactions of Internet Banking systems, even when other authentication factors are in use.

To protect the user inputs from being attacked by MITB, FortiWeb Cloud implements security rules including obfuscation, encryption, anti-keylogger, and Ajax request allowlist.

Obfuscation

To prevent the MITB attack from identifying the names of the user input field , FortiWeb Cloud obfuscates it into meaningless character strings based on Base64 encoding rule.

For example, for the account name, passwords, and other sensitive user input fields on a transaction page, the obfuscation rule is used to disguise the real values of the input field names.

Encryption

To protect the password that users enter into the web page, FortiWeb Cloud encrypts the password from a readable form to an encoded version based on Base64 encoding rule. The encrypted password can only be decoded by FortiWeb Cloud.

Anti-Keylogger

Sometimes the MITB attack installs a key logger on users' browsers and records each key pressed. Sensitive data such as passwords can be intercepted and recorded, compromising the user account.

If the Anti-Keylogger rule is enabled for the password parameter, FortiWeb Cloud prevents it from being recorded even if there is a key logger installed on user's browser.

AJAX Request allowlist

The MITB attack may use a malicious AJAX worm to hack into the user's browser. It creates an AJAX based sniffer to override the OPEN and SEND function of the AJAX request, and then send the data to a program on a different domain.

FortiWeb Cloud supports configuring an allowlist for AJAX requests. If the user's browser sends AJAX requests to an external domain which is not in the allowlist, FortiWeb Cloud will take action according to your configuration.

To configure MITB Protection, you must have already enabled this module in Add Modules. See How to add or remove a module.

  • Configure the settings below to define the URL to protect.

    Request URL

    Enter the literal URL which hosts the web page containing the user input fields you want to protect.

    POST URL

    When the user inputs (e.g. password) are posted to the web server, a new URL will open. This is the POST URL.

    The format of the POST URL field is similar to that of the Request URL field.

    Note: The AJAX request rule only checks the Request URL, and it doesn't involve POST URLs, so the POST URL of the AJAX request rule should be set as "*" to match any URLs.


  • To protect the standard user input and passwords, click +Create Protected Parameter, and configure these settings.

    Input Name

    Enter the name of the user input field, which shall be exactly the same with the name of user input field in the source code of the web page.

    Type

    Select either Standard Input or Password Input.

    Obfuscate

    Available when the Type is either Standard Input or Password Input.

    Encrypt

    Available when the Type is Password Input.

    Anti-KeyLogger

    Available when the Type is Password Input.


  • To add an allowlist for the AJAX Request, click +Create External Domain, and enter the external domain address.
    If the user's browser sends AJAX request to an external domain which is not in the domain list you have entered, FortiWeb Cloud will take actions (alert, or alert & deny) accordingly.
  • Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

  • Click SAVE.

MITB Protection

The Man-in-the-Browser (MITB) attack uses Trojan Horse to intercept and manipulate calls between the browser and its security mechanisms or libraries on-the-fly. The Trojan Horse sniffs or modifies transactions as they are formed on the browser, but still displays back the user's intended transaction. The most common objective of this attack is to cause financial fraud by manipulating transactions of Internet Banking systems, even when other authentication factors are in use.

To protect the user inputs from being attacked by MITB, FortiWeb Cloud implements security rules including obfuscation, encryption, anti-keylogger, and Ajax request allowlist.

Obfuscation

To prevent the MITB attack from identifying the names of the user input field , FortiWeb Cloud obfuscates it into meaningless character strings based on Base64 encoding rule.

For example, for the account name, passwords, and other sensitive user input fields on a transaction page, the obfuscation rule is used to disguise the real values of the input field names.

Encryption

To protect the password that users enter into the web page, FortiWeb Cloud encrypts the password from a readable form to an encoded version based on Base64 encoding rule. The encrypted password can only be decoded by FortiWeb Cloud.

Anti-Keylogger

Sometimes the MITB attack installs a key logger on users' browsers and records each key pressed. Sensitive data such as passwords can be intercepted and recorded, compromising the user account.

If the Anti-Keylogger rule is enabled for the password parameter, FortiWeb Cloud prevents it from being recorded even if there is a key logger installed on user's browser.

AJAX Request allowlist

The MITB attack may use a malicious AJAX worm to hack into the user's browser. It creates an AJAX based sniffer to override the OPEN and SEND function of the AJAX request, and then send the data to a program on a different domain.

FortiWeb Cloud supports configuring an allowlist for AJAX requests. If the user's browser sends AJAX requests to an external domain which is not in the allowlist, FortiWeb Cloud will take action according to your configuration.

To configure MITB Protection, you must have already enabled this module in Add Modules. See How to add or remove a module.

  • Configure the settings below to define the URL to protect.

    Request URL

    Enter the literal URL which hosts the web page containing the user input fields you want to protect.

    POST URL

    When the user inputs (e.g. password) are posted to the web server, a new URL will open. This is the POST URL.

    The format of the POST URL field is similar to that of the Request URL field.

    Note: The AJAX request rule only checks the Request URL, and it doesn't involve POST URLs, so the POST URL of the AJAX request rule should be set as "*" to match any URLs.


  • To protect the standard user input and passwords, click +Create Protected Parameter, and configure these settings.

    Input Name

    Enter the name of the user input field, which shall be exactly the same with the name of user input field in the source code of the web page.

    Type

    Select either Standard Input or Password Input.

    Obfuscate

    Available when the Type is either Standard Input or Password Input.

    Encrypt

    Available when the Type is Password Input.

    Anti-KeyLogger

    Available when the Type is Password Input.


  • To add an allowlist for the AJAX Request, click +Create External Domain, and enter the external domain address.
    If the user's browser sends AJAX request to an external domain which is not in the domain list you have entered, FortiWeb Cloud will take actions (alert, or alert & deny) accordingly.
  • Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

  • Click SAVE.