Section – Form Protection

Section - Form Protection

The form protection mechanism is based on an innovative technology by Airlock Gateway. Taking advantage of strong cryptographic algorithms Airlock Gateway does not need to store information about valid form inputs or hidden fields. The Airlock Gateway form protection mechanism is therefore very efficient and flexible. For the smart form protection to work, URL encryption must be enabled.

In addition to URL Encryption, it is possible to sign, and therefore protect, all form information of an application. To activate Form Protection within Airlock, it is necessary to activate the URL encryption mode (PBE or session-based) first.

Smart Form Protection

  • Enables the innovative and patent-pending smart form protection technology that dynamically protects HTML forms.
  • Airlock Gateway will only allow user input parameters matching the meta constraints by the original HTML form when this option is activated.
  • Using this technology greatly improves the protection against forceful browsing attacks. Users can only return form parameters to the server, that were originally requested by the server. Attackers cannot add other parameters to manipulate the back-end application.

Protect from parameter values

  • This option enables the protection of form parameter values where applicable.
  • Attackers cannot modify hidden fields anymore, send illegal option values or send oversized input. Only parameter values that were offered by the application server are accepted.
  • Also, certain meta constraints given by the HTML form source code are enforced (such as the maxlength attribute of input fields for example).
  • Example:
    If an application provides an HTML form where a user can enter the amount and e.g. select the currency to create an electronic payment, the user will not be able to send any other parameters or send a currency that is not in the offered option list. All constraints are strictly enforced by Airlock Gateway. The back-end application will only get requests and user input data that it actually requested.

Form Protection Field Name Exception Pattern

  • If form fields are changed or added by client-side JavaScript, the form submission is blocked because Airlock Gateway suspects malicious intention.
  • To make such forms work, define one or more name patterns matching the form fields. A form field matching one of these patterns will then no longer be protected.
  • Since the exception pattern is a normal regular expression, it is also possible to use logical operators like "|" (as a logical OR).
  • Examples:
  • ^(exception_field1|exception_field2)$
  • ^(exception_field[12]{1}|exception3|onemore_exception)$