waf hidden-fields-rule
Use this command to configure hidden field rules.
Hidden form inputs, like other types of parameters and inputs, can be vulnerable to tampering and can be used as a vector for other attacks.
Unlike other inputs, they are often written into an HTML page by the web server when it serves that page to the client, and are not visible on the rendered web page. As such, they are difficult to for users to unintentionally modify, and are often incorrectly perceived as relatively safe by website owners.
Like other inputs, however, they are accessible through the JavaScript document object model (DOM), and as inputs, can be used to inject invalid data into your databases or attempt to tamper with the session state.
Hidden field rules prevent such tampering. The FortiWeb appliance caches the values of a session’s hidden inputs as they pass to the HTTP client, and verifies that they remain unchanged when the HTTP client submits a form.
You apply hidden field constraints by first grouping them into a hidden field group. For details, see waf hidden-fields-protection.
Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.
Alternatively, you can use the web UI to fetch the request URL from the server and scan it for hidden inputs, using the results to configure the hidden input rule. For details, see the FortiWeb Administration Guide: |
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf hidden-fields-rule
edit "<hidden-field-rule_name>"
set action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log}
set block-period <seconds_int>
set host "<protected-hosts_name>"
set host-status {enable | disable}
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
config hidden-field-name
edit <entry_index>
set argument "<hidden-field_str>"
next
end
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log} |
Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the hidden field rules in the entry:
Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail. Note: If you select an auto-learning profile with this rule, you should select |
alert
|
If action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log} is block-period , enter the number of seconds that the connection will be blocked. The valid range is 1–3,600. |
0 | |
Enter the name of a protected host that the This setting applies only if host-status {enable | disable} is |
No default. | |
Enable to apply this hidden field rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>". Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the |
disable
|
|
Enter the literal URL, such as The URL must begin with a slash ( / ). Do not include the name of the web host, such as |
No default. | |
Add up to 10 URLs that are valid to use with the HTTP POST method when the client submits the form containing the hidden fields in this rule. |
No default. | |
Select the severity level to use in logs and reports generated when a violation of the rule occurs. |
High
|
|
Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters. To display the list of existing trigger policies, enter:
|
No default. | |
Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Enter the name of the hidden form input, such as languagepref . The maximum length is 63 characters. |
No default. |
Example
This example blocks and logs requests from search.jsp if its hidden form input, whose name is “languagepref”, is posted to any URL other than query.do.
config waf hidden-fields-rule
edit "hidden_fields_rule1"
set action alert_deny
set request-file "/search.jsp"
set action-url0 "/query.do"
config hidden-field-name
edit 1
set argument "languagepref"
next
end
next
end