MITB Protection
The Man-in-the-Browser (MITB) attack uses Trojan Horse to intercept and manipulate calls between the browser and its security mechanisms or libraries on-the-fly. The Trojan Horse sniffs or modifies transactions as they are formed on the browser, but still displays back the user's intended transaction. The most common objective of this attack is to cause financial fraud by manipulating transactions of Internet Banking systems, even when other authentication factors are in use.
To protect the user inputs from being attacked by MITB, FortiWeb Cloud implements security rules including obfuscation, encryption, anti-keylogger, and Ajax request allowlist.
Obfuscation
To prevent the MITB attack from identifying the names of the user input field , FortiWeb Cloud obfuscates it into meaningless character strings based on Base64 encoding rule.
For example, for the account name, passwords, and other sensitive user input fields on a transaction page, the obfuscation rule is used to disguise the real values of the input field names.
Encryption
To protect the password that users enter into the web page, FortiWeb Cloud encrypts the password from a readable form to an encoded version based on Base64 encoding rule. The encrypted password can only be decoded by FortiWeb Cloud.
Anti-Keylogger
Sometimes the MITB attack installs a key logger on users' browsers and records each key pressed. Sensitive data such as passwords can be intercepted and recorded, compromising the user account.
If the Anti-Keylogger rule is enabled for the password parameter, FortiWeb Cloud prevents it from being recorded even if there is a key logger installed on user's browser.
AJAX Request allowlist
The MITB attack may use a malicious AJAX worm to hack into the user's browser. It creates an AJAX based sniffer to override the OPEN and SEND function of the AJAX request, and then send the data to a program on a different domain.
FortiWeb Cloud supports configuring an allowlist for AJAX requests. If the user's browser sends AJAX requests to an external domain which is not in the allowlist, FortiWeb Cloud will take action according to your configuration.
To configure MITB Protection, you must have already enabled this module in Add Modules. See How to add or remove a module.
- Configure the settings below to define the URL to protect.
Enter the literal URL which hosts the web page containing the user input fields you want to protect.
POST URL
When the user inputs (e.g. password) are posted to the web server, a new URL will open. This is the POST URL.
The format of the POST URL field is similar to that of the Request URL field.
Note: The AJAX request rule only checks the Request URL, and it doesn't involve POST URLs, so the POST URL of the AJAX request rule should be set as "*" to match any URLs.
- To protect the standard user input and passwords, click +Create Protected Parameter, and configure these settings.
Input Name
Enter the name of the user input field, which shall be exactly the same with the name of user input field in the source code of the web page.
Select either Standard Input or Password Input.
Obfuscate
Available when the Type is either Standard Input or Password Input.
Encrypt
Available when the Type is Password Input.
Anti-KeyLogger
Available when the Type is Password Input.
- To add an allowlist for the AJAX Request, click +Create External Domain, and enter the external domain address.
If the user's browser sends AJAX request to an external domain which is not in the domain list you have entered, FortiWeb Cloud will take actions (alert, or alert & deny) accordingly.
- Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.Alert
Accept the request and generate an alert email and/or log message.
Alert & Deny
Block the request (or reset the connection) and generate an alert email and/or log message.
- Click SAVE.