Fortinet black logo

Handbook

Home FortiADC 7.4.2 Handbook
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Configuring a Hidden Field rule

Configuring a Hidden Field rule

Define the Hidden Field rule for Input Validation to check for hidden parameters from <input type="hidden"> HTML tags. These hidden parameters are often written into an HTML page by the web server when it serves that page to the client, and is not visible on the rendered web page.

The Hidden Field rule function can do the following:

  • Check the HOST by simple string or regular expression matching.
  • Check the URL by simple string or regular expression matching.
  • Match the configuration of the fetched URL.

If the conditions are successfully matched, it will execute the specified action.

To configure a Hidden Field rule:
  1. Go to Web Application Firewall > Input Validation.
  2. Click the Hidden Field tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following Hidden Field settings:

    Setting

    Description

    Name

    Enter a unique name for the Hidden Fields rule. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

    Note: Once saved, the name of a Hidden Field rule cannot be changed.

    Host Status

    Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

    Host

    The Host option is available if Host Status is enabled.

    Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

    Request URL

    The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default value is Alert.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

  5. Click Save.
    Once the Hidden Field configuration is saved, the Post URL and Hidden Fields sections can be configured.
  6. Under the Post URL section, click Create New to display the configuration editor.
  7. In the URL field, specify the Post URL on which the hidden fields function can work. Click Save and exit the configuration dialog.
  8. Under the Hidden Fields section, click Create New to display the configuration editor.
    Caution

    To apply this feature, you must enable Session Management in your protection profile.

  9. In the Name field, enter a unique Hidden Fields name. It must match the value of the name in the input type of the HTML request. Click Save and exit the configuration dialog.
  10. Click Save to update the Hidden Field configuration.

After the Hidden Field rule has been saved, you can include it in an Input Validation Policy.

Previous
Next

Configuring a Hidden Field rule

Define the Hidden Field rule for Input Validation to check for hidden parameters from <input type="hidden"> HTML tags. These hidden parameters are often written into an HTML page by the web server when it serves that page to the client, and is not visible on the rendered web page.

The Hidden Field rule function can do the following:

  • Check the HOST by simple string or regular expression matching.
  • Check the URL by simple string or regular expression matching.
  • Match the configuration of the fetched URL.

If the conditions are successfully matched, it will execute the specified action.

To configure a Hidden Field rule:
  1. Go to Web Application Firewall > Input Validation.
  2. Click the Hidden Field tab.
  3. Click Create New to display the configuration editor.
  4. Configure the following Hidden Field settings:

    Setting

    Description

    Name

    Enter a unique name for the Hidden Fields rule. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

    Note: Once saved, the name of a Hidden Field rule cannot be changed.

    Host Status

    Enable to require that the Host: field of the HTTP request match a protected host name's entry in order to match the URL access rule. Also configure Host.

    Host

    The Host option is available if Host Status is enabled.

    Select which protected host name's entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the URL access rule.

    Request URL

    The HTTP request URL must be start with /. eg./login. This item must be set when configuring the rule. FortiADC will match the other item (rule) when matching the request URL; if the match fails, FortiADC will not attempt to match others.

    Action

    Select the action profile that you want to apply. See Configuring WAF Action objects.

    The default value is Alert.

    Severity

    When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Input Validation:

    • Low
    • Medium
    • High

    The default value is Low.

  5. Click Save.
    Once the Hidden Field configuration is saved, the Post URL and Hidden Fields sections can be configured.
  6. Under the Post URL section, click Create New to display the configuration editor.
  7. In the URL field, specify the Post URL on which the hidden fields function can work. Click Save and exit the configuration dialog.
  8. Under the Hidden Fields section, click Create New to display the configuration editor.
    Caution

    To apply this feature, you must enable Session Management in your protection profile.

  9. In the Name field, enter a unique Hidden Fields name. It must match the value of the name in the input type of the HTML request. Click Save and exit the configuration dialog.
  10. Click Save to update the Hidden Field configuration.

After the Hidden Field rule has been saved, you can include it in an Input Validation Policy.

Previous
Next