Description
This article provides an in-depth understanding of CAPTCHA behavior in custom security policies.
Scope
FortiWeb-VM, FortiWeb above v7.4.1.
Solution
Starting from v7.4.1, When dealing with custom security policies, especially those involving CAPTCHA challenges, it is crucial to understand how these mechanisms operate to effectively manage and enhance web security.
Below are detailed insights based on a real-world configuration scenario.
config waf custom-access rule
edit "test-brute-force-login"
set action alert_deny
set severity High
set bot-confirmation enable
set bot-recognition captcha-enforcement
set validation-timeout 10
config url-filter
edit 1
set request-file ^/test-custom$
next
end
config http-header-filter
edit 1
set header-value ^custom-test.com$
next
end
config occurrence
edit 1
set occurrence-num 3
set within 10
set traced-by Http-Session
next
end
When a user accesses 'https://custom-test.com/test-custom' matching the above condition and the client requests non-HTML content, or if the response code is 300 or higher, the system evaluates several criteria, including client management level, known search engines, known bots, and IP intelligence. If any of these checks fail, an 'alert & deny' action is taken, resulting in a CAPTCHA failure and the user not receiving a CAPTCHA challenge.
The Real Browser Enforcement (RBE), responsible for handling CAPTCHA and reCAPTCHA, has an idle timeout hard-coded at 10 minutes.
Within this period, if a CAPTCHA challenge fails, all subsequent requests within the same HTTP session will be marked as 'Fail'. Conversely, if a CAPTCHA challenge succeeds, all subsequent requests within the same HTTP session will be marked as 'Success' and will bypass further CAPTCHA challenges.
