For the standard (non-password) user input field such as the user name, FortiWeb obfuscates the name of the input field into a meaningless character string.
As shown in the following screenshot, for the input field which is in the "text" input type (non-password type), FortiWeb obfuscates the name of this input field. The value of the user input is kept as is.
The MiTB attack won't take this user input field as its target because the obfuscated name is meaningless to it.
To add the standard user input fields in the MiTB rule:
- Go to Web Protection > Advanced Protection > Man in the Browser Protection, select the Man in the Browser Protection Rule tab, select the MiTB rule you want to edit, then click Edit. See this topic to add the MiTB rule if you have not yet added one.
- In the Protected Parameter Table section at the middle of the page, click Create New.
- Enter the name of the user input filed. It should be exactly the same with the name of user input field in the source code of the web page.
- Select Standard Input for the Type.
- Enable Obfuscate.
- Click OK.
For example, if you want to protect the user input field named as "Card 1", the configuration looks like the following: