Skip to main content
AACastillo
Staff
AACastillo
Staff
February 27, 2026

Technical Tip: Configure protection against prototype pollution attacks in FortiWeb

  • February 27, 2026
  • 0 replies
  • 76 views
Description This article describes how to protect against prototype pollution attacks using FortiWeb.
Scope FortiWeb.
Solution

Prototype pollution is a JavaScript vulnerability where an attacker can modify an object's prototype to inject or modify properties across all objects in an application, allowing to attacker bypass security controls, cause Denial of Service (DoS), generate cross-site scripting (XSS) attacks, among other things. To protect against this type of attack with FortiWeb, a custom signature can be configured.

 

  1. Go to Web Protection -> Known Attacks -> Custom Signature. Select Custom Signature and then select 'Create New':

 

01a.png

 

  1. In New Custom Signature, configure the following:
  • Name: Use any name (Preferably not using spaces).
  • Action: Alert and deny.

 

Leave all other fields without changes. After that, select OK.

 

02a.png

 

  1. Select 'Create New':

 

03a.png

 

  1. In New Custom Signature Meet Condition Rule, configure the following settings:
  • Match Operator: Regular expression match
  • Case Sensitive: Disable
  • Regular Expression: \b(__proto__|constructor\.prototype|prototype)\b

 

04a.png

 

  1. In the Available Target column, select 'Parameter Name' and 'Parameter Value', and then select the right arrow to pass these values to Selected Target. After that, select OK:

 

05a.png

 

  1. Configured values will appear in the Custom Signature Meet Condition Rule list. To finish this part, select OK:

 

06a.png

 

  1. Select Custom Signature Group and select 'Create New':

 

07a.png

 

  1. Under Name, use any name (preferably not using spaces). Then, select OK:

 

08a.png

 

  1. Select Create New:

 

09a.png

 

  1. In New Signature Group Member -> Custom Signature, search and select the signature created in points 1-6. After that, select OK:

 

10a.png

 

  1. In Edit Custom Signature Group, select OK:

 

11a.png

 

  1. Go to Web Protection -> Known Attacks -> Signatures and select the signatures profile used in the server policy (or create a new one if there is none). Select it and then select Edit (or perform a double-click in the signature profile):

 

12a.png

 

  1. In Edit Signature Policy, under Custom Signature Group, select the custom signature group created in point 7-11. After that, select OK:

 

13a.png


Related information:
    Terms & ConditionsAccessibility statement