Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.6.1 CLI Reference
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf hidden-fields-rule

    waf hidden-fields-rule

    Use this command to configure hidden field rules.

    Hidden form inputs, like other types of parameters and inputs, can be vulnerable to tampering and can be used as a vector for other attacks.

    Unlike other inputs, they are often written into an HTML page by the web server when it serves that page to the client, and are not visible on the rendered web page. As such, they are difficult to for users to unintentionally modify, and are often incorrectly perceived as relatively safe by website owners.

    Like other inputs, however, they are accessible through the JavaScript document object model (DOM), and as inputs, can be used to inject invalid data into your databases or attempt to tamper with the session state.

    Hidden field rules prevent such tampering. The FortiWeb appliance caches the values of a session’s hidden inputs as they pass to the HTTP client, and verifies that they remain unchanged when the HTTP client submits a form.

    You apply hidden field constraints by first grouping them into a hidden field group. For details, see waf hidden-fields-protection.

    Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    Alternatively, you can use the web UI to fetch the request URL from the server and scan it for hidden inputs, using the results to configure the hidden input rule. For details, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/document/fortiweb

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf hidden-fields-rule

    edit "<hidden-field-rule_name>"

    set action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log}

    set block-period <seconds_int>

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set action-url0 "<url_str>"

    set action-url1 "<url_str>"

    set action-url2 "<url_str>"

    set action-url3 "<url_str>"

    set action-url4 "<url_str>"

    set action-url5 "<url_str>"

    set action-url6 "<url_str>"

    set action-url7 "<url_str>"

    set action-url8 "<url_str>"

    set action-url9 "<url_str>"

    set severity {High | Medium | Low | Info}

    set trigger "<trigger-policy_name>"

    config hidden-field-name

    edit <entry_index>

    set argument "<hidden-field_str>"

    next

    end

    next

    end

    Variable Description Default

    "<hidden-field-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log}

    Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the hidden field rules in the entry:

    • alert—Accept the request and generate an alert email and/or log message.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

    • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

    • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

    • deny_no_log—Deny a request. Do not generate a log message.

    • block-period—Block subsequent requests from the client for a number of seconds.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 alert

    block-period <seconds_int>

    		 If action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log} is block-period, enter the number of seconds that the connection will be blocked. The valid range is 1–3,600 seconds. 600

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

    This setting applies only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    Enable to apply this hidden field rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

    Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    		 disable

    request-file "<url_str>"

    Enter the literal URL, such as /login.jsp, that contains the hidden form.

    The URL must begin with a slash ( / ). Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". Regular expressions are not supported. The maximum length is 256 characters.

    		 No default.

    action-url0 "<url_str>"

    		 Add up to 10 URLs that are valid to use with the HTTP POST method when the client submits the form containing the hidden fields in this rule. No default.

    action-url1 "<url_str>"

    action-url2 "<url_str>"

    action-url3 "<url_str>"

    action-url4 "<url_str>"

    action-url5 "<url_str>"

    action-url6 "<url_str>"

    action-url7 "<url_str>"

    action-url8 "<url_str>"

    action-url9 "<url_str>"

    severity {High | Medium | Low | Info}

    		 Select the severity level to use in logs and reports generated when a violation of the rule occurs. High

    trigger "<trigger-policy_name>"

    Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    argument "<hidden-field_str>"

    		 Enter the name of the hidden form input, such as languagepref. The maximum length is 63 characters. No default.

    Example

    This example blocks and logs requests from search.jsp if its hidden form input, whose name is “languagepref”, is posted to any URL other than query.do.

    config waf hidden-fields-rule

    edit "hidden_fields_rule1"

    set action alert_deny

    set request-file "/search.jsp"

    set action-url0 "/query.do"

    config hidden-field-name

    edit 1

    set argument "languagepref"

    next

    end

    next

    end

    Related topics

    Previous
    Next

    waf hidden-fields-rule

    waf hidden-fields-rule

    Use this command to configure hidden field rules.

    Hidden form inputs, like other types of parameters and inputs, can be vulnerable to tampering and can be used as a vector for other attacks.

    Unlike other inputs, they are often written into an HTML page by the web server when it serves that page to the client, and are not visible on the rendered web page. As such, they are difficult to for users to unintentionally modify, and are often incorrectly perceived as relatively safe by website owners.

    Like other inputs, however, they are accessible through the JavaScript document object model (DOM), and as inputs, can be used to inject invalid data into your databases or attempt to tamper with the session state.

    Hidden field rules prevent such tampering. The FortiWeb appliance caches the values of a session’s hidden inputs as they pass to the HTTP client, and verifies that they remain unchanged when the HTTP client submits a form.

    You apply hidden field constraints by first grouping them into a hidden field group. For details, see waf hidden-fields-protection.

    Before you configure a hidden field rule, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group. For details, see server-policy allow-hosts.

    Alternatively, you can use the web UI to fetch the request URL from the server and scan it for hidden inputs, using the results to configure the hidden input rule. For details, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/document/fortiweb

    To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

    Syntax

    config waf hidden-fields-rule

    edit "<hidden-field-rule_name>"

    set action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log}

    set block-period <seconds_int>

    set host "<protected-hosts_name>"

    set host-status {enable | disable}

    set request-file "<url_str>"

    set action-url0 "<url_str>"

    set action-url1 "<url_str>"

    set action-url2 "<url_str>"

    set action-url3 "<url_str>"

    set action-url4 "<url_str>"

    set action-url5 "<url_str>"

    set action-url6 "<url_str>"

    set action-url7 "<url_str>"

    set action-url8 "<url_str>"

    set action-url9 "<url_str>"

    set severity {High | Medium | Low | Info}

    set trigger "<trigger-policy_name>"

    config hidden-field-name

    edit <entry_index>

    set argument "<hidden-field_str>"

    next

    end

    next

    end

    Variable Description Default

    "<hidden-field-rule_name>"

    Enter the name of a new or existing rule. The maximum length is 63 characters.

    To display the list of existing rules, enter:

    edit ?

    		No default.

    action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log}

    Select one of the following actions that the FortiWeb appliance will perform when an HTTP request violates one of the hidden field rules in the entry:

    • alert—Accept the request and generate an alert email and/or log message.

    • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.

      You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg.

    • block-period—Block subsequent requests from the client for a number of seconds. Also configure block-period <seconds_int>.

      Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see waf x-forwarded-for.

    • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message. Also configure redirect-url "<redirect_fqdn>" and rdt-reason {enable | disable}.

    • send_403_forbidden—Reply to the client with an HTTP 403 Access Forbidden error message and generate an alert email and/or log message.

    • deny_no_log—Deny a request. Do not generate a log message.

    • block-period—Block subsequent requests from the client for a number of seconds.

    Caution: This setting will be ignored if monitor-mode {enable | disable} is enabled.

    Note: Logging and/or alert email will occur only if enabled and configured. For details, see log disk and log alertMail.

    Note: If you select an auto-learning profile with this rule, you should select alert. If the action is alert_deny, for example, the FortiWeb appliance will block the request or reset the connection when it detects an attack, resulting in incomplete session information for the auto-learning feature. For details about auto-learning requirements, see waf web-protection-profile autolearning-profile.

    		 alert

    block-period <seconds_int>

    		 If action {alert | alert_deny | redirect | block-period | send_403_forbidden | deny_no_log} is block-period, enter the number of seconds that the connection will be blocked. The valid range is 1–3,600 seconds. 600

    host "<protected-hosts_name>"

    Enter the name of a protected host that the Host: field of an HTTP request must be in order to match the rule. The maximum length is 256 characters.

    This setting applies only if host-status {enable | disable} is enable.

    		 No default.

    host-status {enable | disable}

    Enable to apply this hidden field rule only to HTTP requests for specific web hosts. Also configure host "<protected-hosts_name>".

    Disable to match the input rule based upon the other criteria, such as the URL, but regardless of the Host: field.

    		 disable

    request-file "<url_str>"

    Enter the literal URL, such as /login.jsp, that contains the hidden form.

    The URL must begin with a slash ( / ). Do not include the name of the web host, such as www.example.com, which is configured separately in host "<protected-hosts_name>". Regular expressions are not supported. The maximum length is 256 characters.

    		 No default.

    action-url0 "<url_str>"

    		 Add up to 10 URLs that are valid to use with the HTTP POST method when the client submits the form containing the hidden fields in this rule. No default.

    action-url1 "<url_str>"

    action-url2 "<url_str>"

    action-url3 "<url_str>"

    action-url4 "<url_str>"

    action-url5 "<url_str>"

    action-url6 "<url_str>"

    action-url7 "<url_str>"

    action-url8 "<url_str>"

    action-url9 "<url_str>"

    severity {High | Medium | Low | Info}

    		 Select the severity level to use in logs and reports generated when a violation of the rule occurs. High

    trigger "<trigger-policy_name>"

    Enter the name of the trigger to apply when this rule is violated. For details, see log trigger-policy. The maximum length is 63 characters.

    To display the list of existing trigger policies, enter:

    set trigger ?

    		No default.

    <entry_index>

    		 Enter the index number of the individual entry in the table. The valid range is 1–9,999,999,999,999,999,999. No default.

    argument "<hidden-field_str>"

    		 Enter the name of the hidden form input, such as languagepref. The maximum length is 63 characters. No default.

    Example

    This example blocks and logs requests from search.jsp if its hidden form input, whose name is “languagepref”, is posted to any URL other than query.do.

    config waf hidden-fields-rule

    edit "hidden_fields_rule1"

    set action alert_deny

    set request-file "/search.jsp"

    set action-url0 "/query.do"

    config hidden-field-name

    edit 1

    set argument "languagepref"

    next

    end

    next

    end

    Related topics

    Previous
    Next