PSIRT Advisory

FortiWeb's cookie tampering protection can be bypassed by erasing the FortiWeb session cookie


FortiWeb 5.6.0 introduced a feature called "Signed Security Mode", which, when enabled, would prevent an attacker from tampering with "regular" cookies set by the web-sites protected by FortiWeb; in effect, access to the protected web-site can be blocked when cookie tampering is detected (depending on the "Action" selected by the FortiWeb admin).

This protection can however be made inoperant if the attacker removes FortiWeb's own session cookie. The protected web-sites then become accessible, even with altered cookies.


Improper Access Control

Affected Products

FortiWeb 5.6.0 and above.


A fix is scheduled in upcoming FortiWeb v6.1.0. However, a simple workaround with no downside is available for impacted versions, as described below:

Use "Encrypted" security mode instead of "Signed" security mode. Cookies set by protected web-sites will then be encrypted by FortiWeb before passing them on to the end-users. Attackers being unaware of the encryption key, cookie tampering will remain impossible, and removing FortiWeb's own session cookie will not enable protection bypass.

From the FortiWeb GUI, choose "Encrypted" Security Mode under Web Protection > Cookie Security.

From the FortiWeb CLI, set security-mode to "encrypted" instead "signed":
config waf cookie-security
edit [cookie-security_name]
set security-mode {no | encrypted* | signed}

Further Reference:


Fortinet is pleased to thank independent researcher "Yavuz zdemir" from 4S information Technology for reporting this vulnerability under responsible disclosure.