FortiWEB URL Rewrite HowTo

Technical Document

Document Information
Revision 0.1
Revised 4/15/2010
Filename: url_rewrite_howto.docx

Author Information
Kevin Zhang
zhangjw@fortinet.com

Fortinet Confidential – Not for external distribution

This document contains confidential information that is proprietary to Fortinet Inc. No part of its contents may be used,
copied, disclosed or conveyed to any party in any manner whatsoever without prior written permission from Fortinet Inc.
© Copyright 2005, Fortinet Inc. All rights reserved.

URL Rewrite HowTo

 Revision History

Revision Date Revised Author(s) Description

0.1 Apr 13, 2010 Kevin Zhang Initial Version

URL Rewrite HowTo

 Table of Contents

1. Introduction .......................................................................................................................................... 4

2. Use Action - URL Rewrite to jump inside one protected server/physical server.................................. 5

2.1. Objective ........................................................................................................................................ 5

2.2. Configuration ................................................................................................................................. 5

3. Use Action - Redirect to jump between two protected servers/physical servers ................................ 8

3.1. Objective ........................................................................................................................................ 8

3.2. Configuration ................................................................................................................................. 9

4. Use Action - Redirect to jump to outside website .............................................................................. 12

4.1. Objective ...................................................................................................................................... 12

4.2. Configuration ............................................................................................................................... 12

5. Appendix A: Example - Rewriting URLs using regular expressions ..................................................... 15

5.1. Example 1..................................................................................................................................... 15

5.2. Example 2..................................................................................................................................... 15

5.3. Example 3..................................................................................................................................... 16

5.4. Example 4..................................................................................................................................... 16

6. Appendix B: Example - Rewriting URLs using variables ...................................................................... 17

6.1. Example 1..................................................................................................................................... 17

6.2. Example 2..................................................................................................................................... 18

URL Rewrite HowTo

Introduction
URL rewriting rules can:

 rewrite the URL line in the HTTP header

 rewrite the Referer: field in the HTTP header

 redirect requests to another web site

Similar to error message cloaking, URL rewriting can be useful to prevent the disclosure of
underlying technology or web site structures to HTTP clients.

For example, when visiting a blog web page, its URL might be:

http://www.example.com/wordpress/?feed=rss2

Simply knowing the file name, that the blog uses PHP, its compatible database types, and
the names of parameters via the URL could help an attacker to craft an appropriate attack
for that platform. By rewriting the URL to something more human-readable and less
platform-specific, we hide these details:

http://www.example.com/rss2

Note: URLs in the HTML body will not be rewritten.

Note: URL rewrites are applicable only if the FortiWeb unit is operating in inline protection
mode, or transparent mode for connections without SSL.

FortiWeb unit will take one of following actions when it receives a matching request.

 Rewrite URL: Rewrite both the Host and request URL fields in HTTP header.

 Rewrite Referer: Rewrite Referer field in HTTP header.

 Redirect: Send a 302 (Moved Temporarily) response to the client, with a new Location
field in the HTTP header.

 Send 403 Forbidden: Send a 403 (Forbidden) response to the client.

URL Rewrite HowTo

Use Action - URL Rewrite to jump inside one protected

server/physical server

Objective
Assume we have a FortiWEB setup as following.

One FortiWEB runs at Inline (Reverse Proxy) mode to protect one physical server.

The virtual server IP is 10.0.0.1 and physical server IP is 192.168.1.1.

/index.html and /test.html are the two html pages on physical server. Assume /index.html is
under maintenance and we want the users to use /test.html as a short term alternative.

Configuration
In order to do achieve requirement, we need to setup a URL rewriting rule as following.

URL Rewrite HowTo

There are four important items in this configuration: Action, Condition Table, Host and URL.

Action
Select Action to be "Rewrite URL". "Rewrite URL" allow you to rewrite both the Host and
URL fields in HTTP header of incoming HTTP request.

Condition Table
You can create multiple conditions for a single URL rewrite action to check/match different
parts of an incoming HTTP request. For this sample, only one condition will serve the
purpose.

URL Rewrite HowTo

You use the "Object" to specify the match target. Selecting "HTTP Request URL" means we
are interesting in the URL part of the incoming request.

In the "Regular Expression", we input "/index.html" and select "Meet this condition if" as
"Object matches the regular expression". This will make sure the URL rewrite action will be
taken if we see a request to "index.html".

Host
Type the domain or IP of the host, such as store.example.com or 192.168.1.1. The given
string will replace the original value of the Host field in incoming HTTP request.

Most of the time, this configuration is NOT necessary, such as our sample here.

This configuration is ONLY useful if the physical server has the security check that the Host
field in HTTP request MUST match its own IP. If that's the case, you will need to input the
physical server IP as the "Host" value and that IP will replace the incoming request Host field
to satisfy the physical server security check. Here is a sample.

This field supports back references such as $0 to the parts of the original request that
matched any capture groups that you entered in Regular Expression for each object in the
condition table. (A capture group is a regular expression, or part of one, surrounded in
parentheses.)

Use $n (0 «= n «= 9) to invoke a sub-string, where n is the order of appearance of the regular

expression, from left to right, from outside to inside, then from top to bottom.

For example, regular expressions in the condition table in this order:

URL Rewrite HowTo
(a)(b)(c(d))(e)(f)

would result in invokable variables with the following values:

? $0: a

? $1: b

? $2: cd

? $3: d

? $4: e

? $5: f

For an example, see Appendix B for details.

URL
Type the string, in our sample, /test.html, that will replace the request URL. Do not include
the name of the web host, such as www.example.com, nor the protocol, which are
configured separately in the Host field and Protocol, respectively.

Like Host, this field supports back references such as $0 to the parts of the original request
that matched any capture groups that you entered in Regular Expression for each object in
the condition table. For an example, see Appendix B for details.

Use Action - Redirect to jump between two protected

servers/physical servers

Objective
Assume we have a FortiWEB setup as following.

One FortiWEB runs at Inline (Reverse Proxy) mode to protect two physical servers.

URL Rewrite HowTo

The virtual server IP is 10.0.0.1 and physical server IP is 192.168.1.1 for WEB server A.

The virtual server IP is 10.0.0.2 and physical server IP is 192.168.1.2 for WEB server B with
SSL offloading.

/index.html is a html page on WEB server A and /test.html is a html page on WEB server B.
Assume /index.html of WEB server A is under maintenance and we want the users to use
/test.html of WEB server B as a short term alternative.

Configuration
In order to do achieve requirement, we need to setup a URL rewriting rule as following.

URL Rewrite HowTo

There are five important items in this configuration: Action, Condition Table, Protocol, Host
and URL.

Action
Select Action to be "Redirect". "Rewrite URL" allow you to send a 302 (Moved Temporarily)
response to the client, with a new Location field in the HTTP header.

Condition Table
You can create multiple conditions for a single URL rewrite action to check/match different
parts of an incoming HTTP request. For this sample, only one condition will serve the
purpose.

URL Rewrite HowTo

You use the "Object" to specify the match target. Selecting "HTTP Request URL" means we
are interesting in the URL part of the incoming request.

In the "Regular Expression", we input "/index.html" and select "Meet this condition if" as
"Object matches the regular expression". This will make sure the URL rewrite action will be
taken if we see a request to "index.html".

Protocol
A typical Location field in redirect/302 HTTP header looks like:

Location: https://www.test.com/hello.html

The location field can be divided into three parts: protocol, host and URL.

Here, you choose the protocol to be HTTPS, because WEB server B policy has SSL offloading
turned on.

Host
Type the domain or IP of the host, such as store.example.com or 192.168.1.1. The given
string will be host part of the Location field.

URL
Type the string, in our sample, /test.html, that will replace the request URL. Do not include
the name of the web host, such as www.example.com, nor the protocol, which are
configured separately in the Host field and Protocol, respectively.

Like Host, this field supports back references such as $0 to the parts of the original request
that matched any capture groups that you entered in Regular Expression for each object in
the condition table. For an example, see Appendix B for details.
URL Rewrite HowTo
NOTE: We notice that dividing the Location field into 3 parts even confuses users instead of
making it simple. So in future version, we plan to use a single Location input box to allow
users to input the whole string.

Use Action - Redirect to jump to outside website

Objective
Assume we have a FortiWEB setup as following.

One FortiWEB runs at Inline (Reverse Proxy) mode to protect one physical server.

The virtual server IP is 10.0.0.1 and physical server IP is 192.168.1.1.

/index.html is a html page on WEB server A. Assume /index.html is under maintenance and
we want the users to use /index.html on www.nba.com a short term alternative.

Configuration
In order to do achieve requirement, we need to setup a URL rewriting rule as following.

URL Rewrite HowTo

There are five important items in this configuration: Action, Condition Table, Protocol, Host
and URL.

Action
Select Action to be "Redirect". "Rewrite URL" allow you to send a 302 (Moved Temporarily)
response to the client, with a new Location field in the HTTP header.

Condition Table
You can create multiple conditions for a single URL rewrite action to check/match different
parts of an incoming HTTP request. For this sample, only one condition will serve the
purpose.

URL Rewrite HowTo

You use the "Object" to specify the match target. Selecting "HTTP Request URL" means we
are interesting in the URL part of the incoming request.

In the "Regular Expression", we input "/index.html" and select "Meet this condition if" as
"Object matches the regular expression". This will make sure the URL rewrite action will be
taken if we see a request to "index.html".

Protocol
A typical Location field in redirect/302 HTTP header looks like:

Location: https://www.test.com/hello.html

The location field can be divided into three parts: protocol, host and URL.

Here, you can ignore this seting, because www.nba.com is also running at HTTP.

Host
Type the domain or IP of the host, such as store.example.com or 192.168.1.1. The given
string will be host part of the Location field.

URL
Type the string, in our sample, /index.html, that will replace the request URL. Do not include
the name of the web host, such as www.example.com, nor the protocol, which are
configured separately in the Host field and Protocol, respectively.

Like Host, this field supports back references such as $0 to the parts of the original request
that matched any capture groups that you entered in Regular Expression for each object in
the condition table. For an example, see Appendix B for details.

URL Rewrite HowTo

Appendix A: Example - Rewriting URLs using regular

expressions
Example.edu is a large university. Professors of example.edu use a mixture of WordPress and
Movable Type software for their course web pages to keep students updated. In addition,
the campus bookstore and software store use custom shopping cart software.
The URLs of all of these web applications contain clues about the underlying vendors,
databases and scripting languages.

Because it is a large organization with many mobile users and guests, and an Internet
connection with large bandwidth, the university is therefore a frequent target of attacks. Its
network administrators want to hide the underlying technology to make it more difficult for
attackers to craft platform-specific attacks. Example.edu also wants to make clients’
bookmarked URLs more permanent, so that clients will not need to repair them if the
university switches software vendors.

Because it has so many URLs, the university uses regular expressions to rewrite sets of
similar URLs, rather than configuring rewrites for each URL individually. More specific URL
rewrite rules are selected first in the URL rewriting group, before general ones, due to the
affects of match order on which rewrite rule is applied

Example 1
Regular Expression in URL match condition:

^/cgi/python/ustore/payment.html$

Replace URL:

/store/checkout

Example URL in client’s request:

/cgi/python/ustore/payment.html

Result:

/store/checkout

Example 2
Regular Expression in URL match condition:

URL Rewrite HowTo

^/ustore*$

Replace URL:

/store/view

Example URL in client’s request:

/ustore/viewItem.asp?id=1&img=2

Result:

/store/view

Example 3
Regular Expression in URL match condition:

/Wordpress/(.*)

Replace URL:

/blog/$0

Example URL in client’s request:

/wordpress/10/11/24

Result:

/blog/10/11/24

Example 4
Regular Expression in URL match condition:

/(.*)\.xml

Replace URL:

/$0

Example URL in client’s request:

/index.xml

Result:

URL Rewrite HowTo

/index

Appendix B: Example - Rewriting URLs using variables

Example.com has a web site that uses ASP, but the administrator wants it to appear that the
web site uses PHP. To do this, she configures a rule that changes any requested file's suffix
which is ".asp" into ".php".

The condition table contains two match conditions, in this order:

 The Host: may be anything.

 The request URL must end in “.asp”.

If both of those are true, the request is rewritten.

The administrator does not want to rewrite matching requests into a single URL. Instead, she
wants each rewritten URL to re-use parts of the original request.

To assemble the rewritten URL by re-using the original request’s file path and Host:, the
administrator uses two variables: $0 and $1. Each variable refers to a part of the original
request. The parts are determined by which capture group was matched in the Regular
Expression of each condition table object.

* $0: The text that matched the first capture group (.*). In this case, because the object is
the Host: field, the matching text is the host name, www.example.com.

* $1: The text that matched the second capture group, which is also (.*). In this case,
because the object is the request URL, the matching text is the file path, news/local.

Example 1
Example Request:

www.example.com

URL Rewriting Conditions:

HTTP Host: (.*)

Replacement:

Host: $0

Result:
URL Rewrite HowTo
www.example.com

Example 2
Example Request:

/news/local.asp

URL Rewriting Conditions:

HTTP URL: /(.*)\.asp

Replacement:

URL: $1.php

Result:

/news/local.php

All the evasion protections are built in, so we can protect most of these attacks
automatically, and the real attacks will be blocked and logged.

URL Rewrite HowTo