Fortinet 431 FortiWeb 5.0 Patch 6 Administration Guide
When this form is submitted, the attacker orders TVs at a price reduced from $900 to $1. The
request looks like this:
POST /processPayment.do HTTP/1.1
Host: www.example.com
Referer: http://www.example.com/checkout.do
Cookie: JSESSIONID=12345667890
Content-Type: application/x-www-form-urlencoded
POSTDATA quantity=9999&price=1
Unless the web application is smart enough to test for unauthorized prices,
/processPayment.do accepts the request, processes the order, and returns a normal reply
like this:
HTTP/1.1 302 Moved
Set-Cookie: JSESSIONID=12345667890;HttpOnly
Location: http://www.example.com/thankYou.do
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
The client then loads the final “thank you” shopping cart page indicated in the reply’s
Location: header.
Hidden field rules prevent tampering by caching the values of a session’s hidden inputs as they
pass from the server to the client, and verifying that they remain unchanged when the client
submits the form to its POST URL.
To configure a hidden field rule
1. Before you configure a hidden field rule, if you want to apply it only to HTTP/HTTPS requests
for a specific real or virtual host, you must first define the web host in a protected hosts
group. For details, see “Defining your protected/allowed HTTP “Host:” header names”.
2. Go to Web Protection > Input Validation > Hidden Fields Rule.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
3. Click Create New.
A dialog appears.