Fortinet 412 FortiWeb 5.0 Patch 6 Administration Guide
2. The account profile page notifies the attacker of the successful change.
GET /profile.asp?status=success
where the password change page (/setPassword.asp) is requested before the client has
initiated an authenticated session.
In another example, an e-commerce application might be designed to work properly in this
order:
1. A client begins an HTTP session by adding an item to a shopping cart.
/addToCart.do
2. The client either views and adds additional items to the shopping cart at multiple other
URLs, or proceeds directly to the checkout.
3. The client confirms the items to purchase.
/checkout.do
4. The client provides shipping information.
/shipment.do
5. The client pays for the items and shipment, completing the transaction.
/payment.do
Sessions that begin at the shipping or payment stage should therefore be invalid. If the web
application does not enforce this rule itself, it could be open to CSRF attacks on the payment
feature. To prevent such abuse, FortiWeb could enforce the rule itself using a page access rule
set with the following order in an HTTP session:
1. /addToCart.do?item=*
2. /checkout.do?login=*
3. /shipment.do
4. /payment.do
Attempts to request /payment.do before those other URLs (including the first URL, which
initiates the HTTP session) during a session would be denied, and generate an alert email
and/or attack log message (see “Logging” on page 542 and “Alert email” on page 576).
Requests for other, non-ordered URLs are allowed to interleave ordered URLs during the client’s
session. (Due to web browsers’ back buttons, flexible and complex features, and customers
browsing your e-commerce inventory before completing a transaction, this is common.) Page
access rules may be specific to a web host. This ensures that if web applications have URLs
with the same name, you do not necessarily have to apply the same page order rules.
You can use SNMP traps to notify you when a page order rule has been enforced. For details,
see “SNMP traps & queries” on page 580.
To configure a page order rule
1. Before you configure a page order rule, if you want to apply it only to HTTP requests for a
specific real or virtual host, you must first define the web host in a protected hosts group.
For details, see “Defining your protected/allowed HTTP “Host:” header names” on page 249.
2. Go to Web Protection > Access > Page Access.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
3. Click Create New.
A dialog appears.