Fortinet black logo

CLI Reference

waf padding-oracle

waf padding-oracle

Use this command to create a policy that protects vulnerable block cipher implementations for web applications that selectively encrypt inputs without using HTTPS.

To apply this policy, include it in an inline web or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf padding-oracle

edit "<padding-oracle_rule_name>"

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

config protected-url-list

edit <entry_index>

set host-status {enable | disable}

set host "<host_str>"

set url-type {plain | regular}

set protected-url "<protected-url_str>"

set target "<cookie parameter url>"

end

next

end

Variable Description Default

"<padding-oracle_rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

action {alert | alert_deny | block-period | deny_no_log}

Specify the action that FortiWeb takes when a request violates the rule:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <block-period_int>.

  • deny_no_log—Deny a request. Do not generate a log message.

  • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

Attack log messages contain Padding Oracle Attack when this feature detects a possible attack. Because this attack involves some repeated brute force, the attack log may not appear immediately, but should occur within 2 minutes, depending on your configured DoS alert interval.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email occur only when the these features are enabled and configured. For details, see log attack-log and log alertMail.

Note: To use this rule set with auto-learning, select alert. If action is alert_deny or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the session information for auto-learning will be incomplete.

alert

block-period <block-period_int>

Enter the number of seconds that FortiWeb blocks subsequent requests from the client after it detects that the client has violated the rule.

This setting is available only if action {alert | alert_deny | block-period | deny_no_log} is block-period.

The valid range is 1–36,000 seconds.

600

severity {High | Medium | Low | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Specify the severity level FortiWeb uses when it logs a violation of this rule. Medium

trigger "<trigger-policy_name>"

Enter the name of the trigger policy, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a violation of the rule. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

host-status {enable | disable}

Specify enable to apply this rule only to HTTP requests for specific web hosts. Also specify host "<host_str>".

Specify disable to match the rule based on the other criteria, such as the URL, but regardless of the Host: field.

disable

host "<host_str>"

Specify which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the rule.

This option is available only if the value of host-status {enable | disable} is enabled.

Maximum length is 256 characters.

No default.

url-type {plain | regular}

Enter to determine how the value of protected-url "<protected-url_str>" is specified:

  • plain—A literal URL.
  • regular—A regular expression designed to match multiple URLs.
plain

protected-url "<protected-url_str>"

If the value of url-type {plain | regular} is plain, enter the literal URL that HTTP requests that match the rule contain.

For example:

/profile.jsp

The URL must begin with a backslash ( / ).

If the value of url-type is regular, specify a regular expression matching all and only the URLs to which the rule should apply.

For example:

^/*\.jsp\?uid\=(.*)

The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /profile.cfm.

Do not include the domain name, such as www.example.com, which is specified by host.

Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

target "<cookie parameter url>"

Specify which parts of the client’s requests FortiWeb examines for padding attack attempts:

  • url—A URL (for example, the parameter /user/0000012FE03BC2 is embedded in the URL).
  • parameter—A parameter (for example, the parameter /index.php?user=0000012FE03BC2 appended to a traditional GET or POST body).
  • cookie—A cookie.
parameter

Example

This example illustrates a padding oracle rule that blocks requests to the host www.example.com when a parameter appended in a traditional GET URL parameter or POST body matches the specified regular expression. When a request matches the expression, FortiWeb logs or sends a high-severity message as specified in the notification-servers1 trigger policy.

config waf padding-oracle

edit "padding-oracle1"

set action block-period

set block-period 3600

set severity High

set trigger "notification-servers1"

config protected-url-list

edit 1

set host-status enable

set host "www.example.com"

set url-type regular

set protected-url "\/profile\.jsp\?uid\=(.*)"

set target parameter

end

Related topics

waf padding-oracle

Use this command to create a policy that protects vulnerable block cipher implementations for web applications that selectively encrypt inputs without using HTTPS.

To apply this policy, include it in an inline web or Offline Protection profile. For details, see waf web-protection-profile inline-protection and waf web-protection-profile offline-protection.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf padding-oracle

edit "<padding-oracle_rule_name>"

set action {alert | alert_deny | block-period | deny_no_log}

set block-period <block-period_int>

set severity {High | Medium | Low | Info}

set trigger "<trigger-policy_name>"

config protected-url-list

edit <entry_index>

set host-status {enable | disable}

set host "<host_str>"

set url-type {plain | regular}

set protected-url "<protected-url_str>"

set target "<cookie parameter url>"

end

next

end

Variable Description Default

"<padding-oracle_rule_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing policies, enter:

edit ?

No default.

action {alert | alert_deny | block-period | deny_no_log}

Specify the action that FortiWeb takes when a request violates the rule:

  • alert—Accept the request and generate an alert email and/or log message.

  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.

  • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <block-period_int>.

  • deny_no_log—Deny a request. Do not generate a log message.

  • Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

Attack log messages contain Padding Oracle Attack when this feature detects a possible attack. Because this attack involves some repeated brute force, the attack log may not appear immediately, but should occur within 2 minutes, depending on your configured DoS alert interval.

Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

Note: Logging and/or alert email occur only when the these features are enabled and configured. For details, see log attack-log and log alertMail.

Note: To use this rule set with auto-learning, select alert. If action is alert_deny or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the session information for auto-learning will be incomplete.

alert

block-period <block-period_int>

Enter the number of seconds that FortiWeb blocks subsequent requests from the client after it detects that the client has violated the rule.

This setting is available only if action {alert | alert_deny | block-period | deny_no_log} is block-period.

The valid range is 1–36,000 seconds.

600

severity {High | Medium | Low | Info}

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Specify the severity level FortiWeb uses when it logs a violation of this rule. Medium

trigger "<trigger-policy_name>"

Enter the name of the trigger policy, if any, that the FortiWeb appliance uses when it logs and/or sends an alert email about a violation of the rule. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default.

<entry_index>

Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

host-status {enable | disable}

Specify enable to apply this rule only to HTTP requests for specific web hosts. Also specify host "<host_str>".

Specify disable to match the rule based on the other criteria, such as the URL, but regardless of the Host: field.

disable

host "<host_str>"

Specify which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the rule.

This option is available only if the value of host-status {enable | disable} is enabled.

Maximum length is 256 characters.

No default.

url-type {plain | regular}

Enter to determine how the value of protected-url "<protected-url_str>" is specified:

  • plain—A literal URL.
  • regular—A regular expression designed to match multiple URLs.
plain

protected-url "<protected-url_str>"

If the value of url-type {plain | regular} is plain, enter the literal URL that HTTP requests that match the rule contain.

For example:

/profile.jsp

The URL must begin with a backslash ( / ).

If the value of url-type is regular, specify a regular expression matching all and only the URLs to which the rule should apply.

For example:

^/*\.jsp\?uid\=(.*)

The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /profile.cfm.

Do not include the domain name, such as www.example.com, which is specified by host.

Regular expressions beginning with an exclamation point ( ! ) are not supported. For information on language and regular expression matching, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

No default.

target "<cookie parameter url>"

Specify which parts of the client’s requests FortiWeb examines for padding attack attempts:

  • url—A URL (for example, the parameter /user/0000012FE03BC2 is embedded in the URL).
  • parameter—A parameter (for example, the parameter /index.php?user=0000012FE03BC2 appended to a traditional GET or POST body).
  • cookie—A cookie.
parameter

Example

This example illustrates a padding oracle rule that blocks requests to the host www.example.com when a parameter appended in a traditional GET URL parameter or POST body matches the specified regular expression. When a request matches the expression, FortiWeb logs or sends a high-severity message as specified in the notification-servers1 trigger policy.

config waf padding-oracle

edit "padding-oracle1"

set action block-period

set block-period 3600

set severity High

set trigger "notification-servers1"

config protected-url-list

edit 1

set host-status enable

set host "www.example.com"

set url-type regular

set protected-url "\/profile\.jsp\?uid\=(.*)"

set target parameter

end

Related topics