Fortinet black logo

Administration Guide

Home FortiWeb 7.4.1 Administration Guide
7.4.1
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.10
7.0.9
7.0.8
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.2
6.4.1
6.4.0
6.3.23
6.3.19
6.3.18
6.3.17
6.3.16
6.3.15
6.3.14
6.3.13
6.3.11
6.3.10
6.3.9
6.3.7
6.3.6
6.3.5
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.2
6.1.1
5.7.0
5.6.1
5.6.0
5.6.0

Creating XSW Detection rules

Creating XSW Detection rules

XML Signature Wrapping (XSW) allows a malicious client to modify or forge a digitally signed document without breaking the included signature. This attack is accomplished by moving the original nodeset to another location within the document and replacing the contents.

To counter XSW attacks, FortiWeb will locates the signed node within the XML file and execute verification specifically at that location. Consequently, if a forged node is positioned at the original node's location or the original node is moved to another location, FortiWeb will be able to detect it. In the XSW Detection rule, XPath is employed to specify the correct location of the signed node, while a certificate is used to verify whether the content of the signed node is legitimate.

To create a XSW Detection rule
  1. Go to XML Protection > XSW Detection Rule.

    2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  2. Click Create New.
  3. Configure these settings:

    4. Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection rule.

    XML Client Certificate Group

    Select the XML client certificate group created from Server Objects > Certificate > XML Certificate > Client Certificate Group.
  4. Click OK.
  5. Click Create New to configure the namespace mappings table.

    This step is essential for instructing the system on how to associate a prefix with its corresponding namespace during XPath parsing.

    You can map the namespace with the prefix that is defined in the XML file, or with a custom prefix that you prefer.

    Please note that defining the mapping table is not required if the XML file to be protected does not associate a prefix with the namespace.

  6. For Prefix, enter the prefix to be paired with the intended namespace.
  7. For Namespace, enter the namespace.
  8. Click OK.
  9. Click Create New to configure the elements list. The elements list defines the XPath.
  10. For XPath, enter an XPath to specify which part of the XML file is the signed node.
    For ID Attribute Name, enter the name of the attribute to be protected.
    Example 1:
    To protect the content within the <soapenv: Body> tag in the screenshot below, you can define the Xpath as /soapenv:Envelope/soapenv:Body, and ID Attribute Name is Id.
    Alternatively, you can enhance customization by adding your preferred prefix in mapping, such as aa (prefix), and associating it with the namespace http://schemas.xmlsoap.org/soap/envelope/. Subsequently, you would define the XPath as /aa:Envelope/aa:Body.

    Example 2:
    In this example, the XML doesn't define a prefix and namespace mapping. To protect the content within the <item> tag in the screenshot below, you can define the Xpath as /document/data/item, and leave the ID Attribute Name empty .
  11. Click OK.

    12. To add an XSW Detection rule to an XML protection rule, see Creating XML protection rules.

Previous
Next

Creating XSW Detection rules

XML Signature Wrapping (XSW) allows a malicious client to modify or forge a digitally signed document without breaking the included signature. This attack is accomplished by moving the original nodeset to another location within the document and replacing the contents.

To counter XSW attacks, FortiWeb will locates the signed node within the XML file and execute verification specifically at that location. Consequently, if a forged node is positioned at the original node's location or the original node is moved to another location, FortiWeb will be able to detect it. In the XSW Detection rule, XPath is employed to specify the correct location of the signed node, while a certificate is used to verify whether the content of the signed node is legitimate.

To create a XSW Detection rule
  1. Go to XML Protection > XSW Detection Rule.

    2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  2. Click Create New.
  3. Configure these settings:

    4. Name

    Enter a name that can be referenced by other parts of the configuration. You will use the name to select the rule in an XML protection rule.

    XML Client Certificate Group

    Select the XML client certificate group created from Server Objects > Certificate > XML Certificate > Client Certificate Group.
  4. Click OK.
  5. Click Create New to configure the namespace mappings table.

    This step is essential for instructing the system on how to associate a prefix with its corresponding namespace during XPath parsing.

    You can map the namespace with the prefix that is defined in the XML file, or with a custom prefix that you prefer.

    Please note that defining the mapping table is not required if the XML file to be protected does not associate a prefix with the namespace.

  6. For Prefix, enter the prefix to be paired with the intended namespace.
  7. For Namespace, enter the namespace.
  8. Click OK.
  9. Click Create New to configure the elements list. The elements list defines the XPath.
  10. For XPath, enter an XPath to specify which part of the XML file is the signed node.
    For ID Attribute Name, enter the name of the attribute to be protected.
    Example 1:
    To protect the content within the <soapenv: Body> tag in the screenshot below, you can define the Xpath as /soapenv:Envelope/soapenv:Body, and ID Attribute Name is Id.
    Alternatively, you can enhance customization by adding your preferred prefix in mapping, such as aa (prefix), and associating it with the namespace http://schemas.xmlsoap.org/soap/envelope/. Subsequently, you would define the XPath as /aa:Envelope/aa:Body.

    Example 2:
    In this example, the XML doesn't define a prefix and namespace mapping. To protect the content within the <item> tag in the screenshot below, you can define the Xpath as /document/data/item, and leave the ID Attribute Name empty .
  11. Click OK.

    12. To add an XSW Detection rule to an XML protection rule, see Creating XML protection rules.

Previous
Next