waf padding-oracle
Use this command to create a policy that protects vulnerable block cipher implementations for web applications that selectively encrypt inputs without using HTTPS.
To apply this policy, include it in an inline web or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf padding-oracle
edit "<padding-oracle_rule_name>"
set action {alert | alert_deny | block-period | deny_no_log}
set block-period <block-period_int>
set severity {High | Medium | Low | Info}
set trigger "<trigger-policy_name>"
config protected-url-list
edit <entry_index>
set host-status {enable | disable}
set url-type {plain | regular}
set protected-url "<protected-url_str>"
set target "<cookie parameter url>"
end
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing policies, enter:
|
No default. | |
Specify the action that FortiWeb takes when a request violates the rule:
Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for. Attack log messages contain Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled. Note: Logging and/or alert email occur only when the these features are enabled and configured. For details, see log attack-log and log alertMail. Note: To use this rule set with auto-learning, select |
alert
|
|
Enter the number of seconds that FortiWeb blocks subsequent requests from the client after it detects that the client has violated the rule. This setting is available only if action {alert | alert_deny | block-period | deny_no_log} is The valid range is 1–4,294,967,295. |
1 | |
When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level ) field. Specify the severity level FortiWeb uses when it logs a violation of this rule. |
Medium
|
|
Enter the name of the trigger policy, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a violation of the rule. For details, see log trigger-policy. To display the list of existing triggers, enter:
|
No default. | |
Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. | No default. | |
Specify Specify |
disable
|
|
Specify which protected host names entry (either a web host name or IP address) that the This option is available only if the value of host-status {enable | disable} is Maximum length is 256 characters. |
No default. | |
Enter to determine how the value of protected-url "<protected-url_str>" is specified:
|
plain |
|
If the value of url-type {plain | regular} is For example:
The URL must begin with a backslash ( / ). If the value of For example:
The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as Do not include the domain name, such as Regular expressions beginning with an exclamation point ( |
No default. | |
Specify which parts of the client’s requests FortiWeb examines for padding attack attempts:
|
parameter |
Example
This example illustrates a padding oracle rule that blocks requests to the host www.example.com
when a parameter appended in a traditional GET URL parameter or POST body matches the specified regular expression. When a request matches the expression, FortiWeb logs or sends a high-severity message as specified in the notification-servers1
trigger policy.
config waf padding-oracle
edit "padding-oracle1"
set action block-period
set block-period 3600
set severity High
set trigger "notification-servers1"
config protected-url-list
edit 1
set host-status enable
set host "www.example.com"
set url-type regular
set protected-url "\/profile\.jsp\?uid\=(.*)"
set target parameter
end