Fortinet 411 FortiWeb 5.0 Patch 6 Administration Guide
Enforcing page order that follows application logicPage order rules (called “page access rules” in the web UI) define URLs that must be accessed
in a specific order to enforce correct business logic or application logic of a web application,
and prevent cross-site request forgery (CSRF) attacks.
For example, a password change should always occur in this order:
1. A client begins an HTTP session by requesting the login page.
GET /login.asp
When the web server responds, FortiWeb adds its HTTP session cookie to the response to
initiate a unique HTTP session for that client. All subsequent requests from the client will
include this cookie until the client ends the session or the cookie expires. The cookie
identifies the client, and coupled with the request URL, allows FortiWeb to track the client’s
current session state, and enforce session-related features.
2. The client submits his or her authentication credentials.
POST /checkLogin.asp?account=user1&password=myPassw0rd!
Depending on the web application, the client’s login status could be cached server-side, or
could be added to a cookie in the response, to be cached client-side.
3. If the login is successful, the web application displays the client’s account profile, which
includes a password change form.
GET /profile.asp
4. The client submits a password change request.
POST /setPassword.asp?account=user1&password=myPassw0rd!
5. If the password change is successful, the account profile web page notifies the client.
GET /profile.asp?status=success
Authentication is required in order to prove the client’s identity. Unless HTTP session initiation is
required and initial authentication is bound to that session, a n attacker could change (or
possibly simply read) the password of any user’s account simply by making a request like step 4
with the password query in its URL and/or repeating a stolen session cookie. Therefore
password access should never be allowed in page requests ordered like this:
1. An attacker posts a password change for another person’s account.
POST /setPassword.asp?account=user1&password=myPassw0rd!