Technical Tip: Enable Credential Stuffing Defense in User Tracking Policy

Requirement:

• Valid Credential Stuffing Defense Contract.
• Database synchronized via FortiGuard.

From GUI:

1. Navigate to Tracking -> User Tracking.
2. Select Create New.
3. Input required settings (Host, Authentication URL, Username/Password Field, etc.).
4. Enable 'Credential Stuffing Defense' and 'Credential Stuffing Online Check'.
5. Set action (Alert, Alert&Deny, Deny(no log), Redirect, Block Period).
6. Select OK.

The test button allows users to test the local and online Credential Stuffing Defense database. Enter suspected malicious credentials to verify.

More information related to User Tracking rule in the documentation.

FortiWeb Administration Guide - Tracking 

Steps to verify:

1. Browse to the protected login URL. For example: https://dvwa.ftntlab.local/login.php.
2. Use possibly malicious user credentials to log in. For example: admin/admin123.
3. Request will be blocked by FortiWeb.
   
                              
4. Attack log generated. Verify in Log&Report -> Log Access -> Attack.