Fortinet 473 FortiWeb 5.0 Patch 6 Administration Guide
Cookie Poisoning
Detection
Enable to detect cookie poisoning, then select which of the following
actions the FortiWeb appliance will take if cookie tampering is
detected:
Alert — Accept the request and generate an alert email and/or log
message.
Alert & Deny — Block the request and generate an alert and/or
log message.
Period Block — Block requests for a specified number of
seconds as set in the accompanying field to the right. The range is
1 to 3600. See also “Monitoring currently blocked IPs” on
page 606.
Note: If FortiWeb is deployed behind a NAT load balancer, when
using this option, you must also define an X-header that indicates
the original client’s IP (see “Defining your proxies, clients, &
X-headers” on page 266). Failure to do so may cause FortiWeb to
block all connections when it detects a violation of this type.
Remove Cookie — Accept the request, but remove the poisoned
cookie from the datagram before it reaches the web server, and
generate an alert and/or log message.
For more information on logging and alerts, see “Configuring logging”
on page 545.
When enabled, each cookie is accompanied by a cookie named
<cookie_name>_fortinet_waf_auth, which tracks the cookie’s
original value when set by the web server. If the cookie returned by
the client does not match this digest, the FortiWeb appliance will
detect cookie poisoning. This feature can be useful to prevent many
types of cookie-based attack, such as session ID fraud.
Note: This feature requires that the client support cookies.
Signatures Select the name of the signature set, if any, that will be applied to
matching requests. Also configure Enable AMF3 Protocol Detection.
Attack log messages for this feature vary by which type of attack was
detected. For a list, see “Blocking known attacks & data leaks” on
page 387.
Enable AMF3
Protocol Detection
Enable to scan requests that use action message format 3.0 (AMF3)
for:
cross-site scripting (XSS) attacks
SQL injection attacks
common exploits
and other attack signatures that you have enabled in Signatures.
AMF3 is a binary format that can be used by Adobe Flash/Flex clients
to send input to server-side software.
Caution: To scan for attacks or enforce input rules on AMF3, you
must enable this option. Failure to enable the option will cause the
FortiWeb appliance to be unable to scan AMF3 requests for attacks.
Enable XML
Protocol Detection
Enable to scan for matches with attack and data leak signatures in
Web 2.0 (XML AJAX), SOAP, and other XML submitted by clients in
the bodies of HTTP POST requests.
Setting name Description