Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.6.7
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 7.6.7 Administration Guide
    7.6.7
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Detecting and mitigating SSL stripping

    Detecting and mitigating SSL stripping

    SSL Stripping is a form of Man-in-the-Middle (MitM) attack that exploits the way encryption protocols establish connections. By downgrading HTTPS connections to HTTP, attackers can intercept and manipulate sensitive data transmitted in plaintext. This technique, also known as an SSL Downgrade Attack, exposes users to data theft and content modification.

    To mitigate this threat, FortiWeb introduces a new Middle Proxy option in the Man-in-the-Browser (MitB) Protection module. This enhancement enables FortiWeb to analyze traffic and detect SSL stripping attempts by comparing security attributes from both the client and the server. If a mismatch is detected, FortiWeb logs the attack. To enhance security, enabling HTTP Strict Transport Security (HSTS) is recommended.

    When the Middle Proxy option is enabled in a Man-in-the-Browser Protection Rule, FortiWeb compares security attributes reported by the client—including protocol, host, User-Agent (UA), and security headers—against stored data. The client then reports its observed security attributes, allowing FortiWeb to detect discrepancies, such as missing or modified security headers, that may indicate an SSL stripping attack.

    For example, if the server response includes an HSTS header but the client reports its absence, FortiWeb identifies this discrepancy as a potential SSL stripping attempt.

    To apply Middle Proxy in the Man in the Browser Protection Rule:

    1. Navigate to Web Protection > Advanced Protection > Man in the Browser Protection.

    2. Click the Man in the Browser Protection Rule tab.

    3. Click Create New to define a new protection rule or select an existing rule to modify.

    4. Enable Middle Proxy to allow FortiWeb to analyze encrypted traffic and compare protocol integrity.

    5. Configure additional parameters as required and click OK to save the rule configuration.

    Apply the protection rule to the appropriate Web Protection Profile under Policy > Web Protection Profile. Then, monitor Log & Report > Attack Log for detected SSL stripping attempts and fine-tune configurations as needed.

    Detecting SSL Stripping

    SSL stripping attacks downgrade secure connections, exposing sensitive data to interception. FortiWeb detects these attacks by identifying mismatches between expected security attributes and those reported by the client. The following examples illustrate common SSL stripping detection scenarios.

    Protocol Downgrade:

    • The server responds with https://secure.example.com, but the client reports http://secure.example.com.

    • FortiWeb detects that the connection was downgraded from HTTPS to HTTP.

    Missing Security Headers:

    • The server includes Strict-Transport-Security (HSTS) and Content Security Policy (CSP) headers in its response.

    • The client reports missing or altered headers, indicating a possible SSL stripping attack.

    User-Agent (UA) Manipulation:

    • The server logs the original User-Agent string, but the client reports a different or generic UA.

    • FortiWeb detects potential tampering with client attributes.

    Unsecured Form Submission:

    • The server provides a login form over HTTPS, but the client submits credentials via HTTP.

    • FortiWeb identifies the downgrade and flags it as a security risk.

    Unexpected Redirects:

    • The server issues a 301/302 redirect to an HTTPS page, but the client reports being redirected to an HTTP version.

    • FortiWeb detects an inconsistency that may indicate SSL stripping in progress.

    Previous
    Next

    Detecting and mitigating SSL stripping

    Detecting and mitigating SSL stripping

    SSL Stripping is a form of Man-in-the-Middle (MitM) attack that exploits the way encryption protocols establish connections. By downgrading HTTPS connections to HTTP, attackers can intercept and manipulate sensitive data transmitted in plaintext. This technique, also known as an SSL Downgrade Attack, exposes users to data theft and content modification.

    To mitigate this threat, FortiWeb introduces a new Middle Proxy option in the Man-in-the-Browser (MitB) Protection module. This enhancement enables FortiWeb to analyze traffic and detect SSL stripping attempts by comparing security attributes from both the client and the server. If a mismatch is detected, FortiWeb logs the attack. To enhance security, enabling HTTP Strict Transport Security (HSTS) is recommended.

    When the Middle Proxy option is enabled in a Man-in-the-Browser Protection Rule, FortiWeb compares security attributes reported by the client—including protocol, host, User-Agent (UA), and security headers—against stored data. The client then reports its observed security attributes, allowing FortiWeb to detect discrepancies, such as missing or modified security headers, that may indicate an SSL stripping attack.

    For example, if the server response includes an HSTS header but the client reports its absence, FortiWeb identifies this discrepancy as a potential SSL stripping attempt.

    To apply Middle Proxy in the Man in the Browser Protection Rule:

    1. Navigate to Web Protection > Advanced Protection > Man in the Browser Protection.

    2. Click the Man in the Browser Protection Rule tab.

    3. Click Create New to define a new protection rule or select an existing rule to modify.

    4. Enable Middle Proxy to allow FortiWeb to analyze encrypted traffic and compare protocol integrity.

    5. Configure additional parameters as required and click OK to save the rule configuration.

    Apply the protection rule to the appropriate Web Protection Profile under Policy > Web Protection Profile. Then, monitor Log & Report > Attack Log for detected SSL stripping attempts and fine-tune configurations as needed.

    Detecting SSL Stripping

    SSL stripping attacks downgrade secure connections, exposing sensitive data to interception. FortiWeb detects these attacks by identifying mismatches between expected security attributes and those reported by the client. The following examples illustrate common SSL stripping detection scenarios.

    Protocol Downgrade:

    • The server responds with https://secure.example.com, but the client reports http://secure.example.com.

    • FortiWeb detects that the connection was downgraded from HTTPS to HTTP.

    Missing Security Headers:

    • The server includes Strict-Transport-Security (HSTS) and Content Security Policy (CSP) headers in its response.

    • The client reports missing or altered headers, indicating a possible SSL stripping attack.

    User-Agent (UA) Manipulation:

    • The server logs the original User-Agent string, but the client reports a different or generic UA.

    • FortiWeb detects potential tampering with client attributes.

    Unsecured Form Submission:

    • The server provides a login form over HTTPS, but the client submits credentials via HTTP.

    • FortiWeb identifies the downgrade and flags it as a security risk.

    Unexpected Redirects:

    • The server issues a 301/302 redirect to an HTTPS page, but the client reports being redirected to an HTTP version.

    • FortiWeb detects an inconsistency that may indicate SSL stripping in progress.

    Previous
    Next