Fortinet 5.0 Patch 6

Fortinet 412 FortiWeb 5.0 Patch 6 Administration Guide

2. The account profile page notifies the attacker of the successful change.

GET /profile.asp?status=success

where the password change page (/setPassword.asp) is requested before the client has

initiated an authenticated session.

In another example, an e-commerce application might be designed to work properly in this

order:

1. A client begins an HTTP session by adding an item to a shopping cart.

/addToCart.do

2. The client either views and adds additional items to the shopping cart at multiple other

URLs, or proceeds directly to the checkout.

3. The client confirms the items to purchase.

/checkout.do

4. The client provides shipping information.

/shipment.do

5. The client pays for the items and shipment, completing the transaction.

/payment.do

Sessions that begin at the shipping or payment stage should therefore be invalid. If the web

application does not enforce this rule itself, it could be open to CSRF attacks on the payment

feature. To prevent such abuse, FortiWeb could enforce the rule itself using a page access rule

set with the following order in an HTTP session:

1. /addToCart.do?item=*

2. /checkout.do?login=*

3. /shipment.do

4. /payment.do

Attempts to request /payment.do before those other URLs (including the first URL, which

initiates the HTTP session) during a session would be denied, and generate an alert email

and/or attack log message (see “Logging” on page 542 and “Alert email” on page 576).

Requests for other, non-ordered URLs are allowed to interleave ordered URLs during the client’s

session. (Due to web browsers’ back buttons, flexible and complex features, and customers

browsing your e-commerce inventory before completing a transaction, this is common.) Page

access rules may be specific to a web host. This ensures that if web applications have URLs

with the same name, you do not necessarily have to apply the same page order rules.

You can use SNMP traps to notify you when a page order rule has been enforced. For details,

see “SNMP traps & queries” on page 580.

To configure a page order rule

1. Before you configure a page order rule, if you want to apply it only to HTTP requests for a

specific real or virtual host, you must first define the web host in a protected hosts group.

For details, see “Defining your protected/allowed HTTP “Host:” header names” on page 249.

2. Go to Web Protection > Access > Page Access.

To access this part of the web UI, your administrator’s account access profile must have

Read and Write permission to items in the Web Protection Configuration category. For

details, see “Permissions” on page 47.

3. Click Create New.

A dialog appears.