Fortinet 396 FortiWeb 5.0 Patch 6 Administration Guide
5. Click OK.
Credit Card
Detection
Enable to detect credit card numbers in the response from the
server. Also configure Credit Card Detection Threshold.
Credit card numbers being sent from the server to the client,
especially on an unencrypted connection, constitute a violation of
PCI DSS. In most cases, the client should only receive
mostly-obscured versions of their credit card number, if they
require it to confirm which card was used. This prevents
bystanders from viewing the number, but also reduces the number
of times that the actual credit card number could be observed by
network attackers. For example, a web page might confirm a
transaction by displaying a credit card number as:
XXXX XXXX XXXX 1234
This mostly-obscured version protects the credit card number from
unnecessary exposure and disclosure. It would not trigger the
credit card number detection feature.
However, if a web application does not obscure displays of credit
card numbers, or if an attacker has found a way to bypass the
application’s protection mechanisms and gain a list of customers’
credit card numbers, a web page might contain a list with many
credit card numbers in clear text. Such a web page would be
considered a data leak, and trigger credit card number disclosure
detection.
Attack log messages contain Credit Card Detection and the
subtype and signature (for example, Credit Card Detection
: Signature ID 100000001) when this feature detects a credit
card disclosure.
In the Action column, select that the FortiWeb will do when it
detects this type of attack:
•Alert
•Alert & Deny
Alert & Erase
•Period Block
Credit Card
Detection Threshold
Type 0 to report any credit card number disclosures, or enter a
threshold if the web page must contain a number of credit cards
that equals or exceeds the threshold in order to trigger the credit
card number detection feature.
For example, to ignore web pages with only one credit card
number, but to detect when a web page containing two or more
credit cards, enter 2.
Custom Signature
Group
Select a custom signature group to use, if any. For details, see
“Defining custom data leak & attack signatures” on page 401.
Attack log messages contain Custom Signature Detection
and the name of the individual signature when this feature detects
an attack.
To view and/or edit the custom signature set, click the Detail link.
The Edit Custom Signature Group dialog appears.
Setting name Description