Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

waf hidden-fields-rule

Use this command to configure hidden field rules.

Hidden form inputs, like other types of parameters and inputs, can be vulnerable to tampering and can be used as a vector for other attacks.

Unlike other inputs, they are often written into an HTML page by the web server when it serves that page to the client, and are not visible on the rendered web page. As such, they are difficult to for users to unintentionally modify, and are often incorrectly perceived as relatively safe by website owners.

Like other inputs, however, they are accessible through the JavaScript document object model (DOM), and as inputs, can be used to inject invalid data into your databases or attempt to tamper with the session state.

Hidden field rules prevent such tampering. The FortiWeb appliance caches the values of a session’s hidden inputs as they pass to the HTTP client, and verifies that they remain unchanged when the HTTP client submits a form.

You apply hidden field constraints by first grouping them into a hidden field group. For details, see waf hidden-fields-protection.

Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

Alternatively, you can use the web UI to fetch the request URL from the server and scan it for hidden inputs, using the results to configure the hidden input rule. For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf hidden-fields-rule

edit "<hidden-field-rule_name>"

set action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log}

set block-period <seconds_int>

set host "<protected-hosts_name>"

set host-status {enable | disable}

set request-file "<url_str>"

set action-url0 "<url_str>"

set action-url1 "<url_str>"

set action-url2 "<url_str>"

set action-url3 "<url_str>"

set action-url4 "<url_str>"

set action-url5 "<url_str>"

set action-url6 "<url_str>"

set action-url7 "<url_str>"

set action-url8 "<url_str>"

set action-url9 "<url_str>"

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

config hidden-field-name

edit <entry_index>

set argument "<hidden-field_str>"

next

end

next

end

Variable Description Default

"<hidden-field-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the hidden field rules in the entry:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

  • block-period—Block subsequent requests from the client for a number of seconds.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

block-period <seconds_int>

If action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log} is block-period, enter the number of seconds that the connection will be blocked. The valid range is 1–3,600. 0

host "<protected-hosts_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

This setting applies only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to apply this hidden field rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

disable

request-file "<url_str>"

Enter the literal URL, such as /login.jsp, that contains the hidden form.

The URL must begin with a slash ( / ). Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". Regular expressions are not supported. The maximum length is 256 characters.

No default.

action-url0 "<url_str>"

Add up to 10 URLs that are valid to use with the HTTP POST method when the client submits the form containing the hidden fields in this rule. No default.

action-url1 "<url_str>"

action-url2 "<url_str>"

action-url3 "<url_str>"

action-url4 "<url_str>"

action-url5 "<url_str>"

action-url6 "<url_str>"

action-url7 "<url_str>"

action-url8 "<url_str>"

action-url9 "<url_str>"

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. High

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

argument "<hidden-field_str>"

Enter the name of the hidden form input, such as languagepref. The maximum length is 63 characters. No default.

Example

This example blocks and logs requests from search.jsp if its hidden form input, whose name is “languagepref”, is posted to any URL other than query.do.

config waf hidden-fields-rule

edit "hidden_fields_rule1"

set action alert_deny

set request-file "/search.jsp"

set action-url0 "/query.do"

config hidden-field-name

edit 1

set argument "languagepref"

next

end

next

end

Related topics

waf hidden-fields-rule

Use this command to configure hidden field rules.

Hidden form inputs, like other types of parameters and inputs, can be vulnerable to tampering and can be used as a vector for other attacks.

Unlike other inputs, they are often written into an HTML page by the web server when it serves that page to the client, and are not visible on the rendered web page. As such, they are difficult to for users to unintentionally modify, and are often incorrectly perceived as relatively safe by website owners.

Like other inputs, however, they are accessible through the JavaScript document object model (DOM), and as inputs, can be used to inject invalid data into your databases or attempt to tamper with the session state.

Hidden field rules prevent such tampering. The FortiWeb appliance caches the values of a session’s hidden inputs as they pass to the HTTP client, and verifies that they remain unchanged when the HTTP client submits a form.

You apply hidden field constraints by first grouping them into a hidden field group. For details, see waf hidden-fields-protection.

Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

Alternatively, you can use the web UI to fetch the request URL from the server and scan it for hidden inputs, using the results to configure the hidden input rule. For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf hidden-fields-rule

edit "<hidden-field-rule_name>"

set action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log}

set block-period <seconds_int>

set host "<protected-hosts_name>"

set host-status {enable | disable}

set request-file "<url_str>"

set action-url0 "<url_str>"

set action-url1 "<url_str>"

set action-url2 "<url_str>"

set action-url3 "<url_str>"

set action-url4 "<url_str>"

set action-url5 "<url_str>"

set action-url6 "<url_str>"

set action-url7 "<url_str>"

set action-url8 "<url_str>"

set action-url9 "<url_str>"

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

config hidden-field-name

edit <entry_index>

set argument "<hidden-field_str>"

next

end

next

end

Variable Description Default

"<hidden-field-rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log}

Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the hidden field rules in the entry:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

  • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

  • deny_no_log—Deny a request. Do not generate a log message.

  • block-period—Block subsequent requests from the client for a number of seconds.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

alert

block-period <seconds_int>

If action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log} is block-period, enter the number of seconds that the connection will be blocked. The valid range is 1–3,600. 0

host "<protected-hosts_name>"

Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

This setting applies only if host-status {enable | disable} is enable.

No default.

host-status {enable | disable}

Enable to apply this hidden field rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

disable

request-file "<url_str>"

Enter the literal URL, such as /login.jsp, that contains the hidden form.

The URL must begin with a slash ( / ). Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". Regular expressions are not supported. The maximum length is 256 characters.

No default.

action-url0 "<url_str>"

Add up to 10 URLs that are valid to use with the HTTP POST method when the client submits the form containing the hidden fields in this rule. No default.

action-url1 "<url_str>"

action-url2 "<url_str>"

action-url3 "<url_str>"

action-url4 "<url_str>"

action-url5 "<url_str>"

action-url6 "<url_str>"

action-url7 "<url_str>"

action-url8 "<url_str>"

action-url9 "<url_str>"

severity {High | Medium | Low | Info}

Select the severity level to use in logs and reports generated when a violation of the rule occurs. High

trigger "<trigger-policy_name>"

Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

To display the list of existing trigger policies, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

argument "<hidden-field_str>"

Enter the name of the hidden form input, such as languagepref. The maximum length is 63 characters. No default.

Example

This example blocks and logs requests from search.jsp if its hidden form input, whose name is “languagepref”, is posted to any URL other than query.do.

config waf hidden-fields-rule

edit "hidden_fields_rule1"

set action alert_deny

set request-file "/search.jsp"

set action-url0 "/query.do"

config hidden-field-name

edit 1

set argument "languagepref"

next

end

next

end

Related topics