Fortinet 5.0 Patch 6

Fortinet 396 FortiWeb 5.0 Patch 6 Administration Guide

5. Click OK.

Credit Card

Detection

Enable to detect credit card numbers in the response from the

server. Also configure Credit Card Detection Threshold.

Credit card numbers being sent from the server to the client,

especially on an unencrypted connection, constitute a violation of

PCI DSS. In most cases, the client should only receive

mostly-obscured versions of their credit card number, if they

require it to confirm which card was used. This prevents

bystanders from viewing the number, but also reduces the number

of times that the actual credit card number could be observed by

network attackers. For example, a web page might confirm a

transaction by displaying a credit card number as:

XXXX XXXX XXXX 1234

This mostly-obscured version protects the credit card number from

unnecessary exposure and disclosure. It would not trigger the

credit card number detection feature.

However, if a web application does not obscure displays of credit

card numbers, or if an attacker has found a way to bypass the

application’s protection mechanisms and gain a list of customers’

credit card numbers, a web page might contain a list with many

credit card numbers in clear text. Such a web page would be

considered a data leak, and trigger credit card number disclosure

detection.

Attack log messages contain Credit Card Detection and the

subtype and signature (for example, Credit Card Detection

: Signature ID 100000001) when this feature detects a credit

card disclosure.

In the Action column, select that the FortiWeb will do when it

detects this type of attack:

•Alert

•Alert & Deny

• Alert & Erase

•Period Block

Credit Card

Detection Threshold

Type 0 to report any credit card number disclosures, or enter a

threshold if the web page must contain a number of credit cards

that equals or exceeds the threshold in order to trigger the credit

card number detection feature.

For example, to ignore web pages with only one credit card

number, but to detect when a web page containing two or more

credit cards, enter 2.

Custom Signature

Group

Select a custom signature group to use, if any. For details, see

“Defining custom data leak & attack signatures” on page 401.

Attack log messages contain Custom Signature Detection

and the name of the individual signature when this feature detects

an attack.

To view and/or edit the custom signature set, click the Detail link.

The Edit Custom Signature Group dialog appears.

Setting name Description