Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Configuring an SQL/XSS Injection Detection policy

SQL/XSS Injection Detection policies detect SQL injection and cross-site scripting (XSS) attacks. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. In an SQL injection attack, attackers craft HTTP requests that cause SQL queries to be executed directly against the web application’s database. XSS injection attacks cause a web browser to execute a client-side script.

In contrast to signature-based detection, the WAF SQL and XSS injection detector module detects SQL and XSS injection through lexical analysis, which is a complementary method and is faster.

The policy enables/disables scanpoints, the action when traffic matches signatures, and the event severity.

You can enable detection in the following scanpoints:

  • SQL Injection: URI—Analyzes content in the URI.
  • SQL Injection: Referer—Analyzes content in the HTTP Referer header.
  • SQL Injection: Cookie—Analyzes content in the HTTP Cookie header.
  • SQL Injection: Body—Analyzes content in the HTTP request body.
  • XSS Injection: URI—Analyzes content in the URI.
  • XSS Detection: Referer—Analyzes content in the HTTP Referer header.
  • XSS Detection: Cookie—Analyzes content in the HTTP Cookie header.
  • XSS Detection: Body—Analyzes content in the HTTP request body.

Header scanning is recommended. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.

Predefined SQL injection and XSS detection policies describes the predefined policies.

Predefined SQL injection and XSS detection policies

  SQL Injection XSS
Predefined Rules Detection Action Severity Detection Action Severity

High-Level-Security

All except Body SQL Injection Detection

Deny

High

All except Body XSS Injection Detection

Deny

High

Medium-Level-Security

Only SQL URI SQL Injection Detection

Deny

High

None

Alert

Low

Alert-Only

Only SQL URI SQL Injection Detection

Alert

High

None

Alert

Low

If desired, you can create user-defined policies.

Before you begin:

  • You must have Read-Write permission for Security settings.

After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.

To configure an SQL/XSS Injection Detection policy:
  1. Go to Web Application Firewall > Common Attacks Detection.
  2. Click the SQL/XSS Injection Detection tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in SQL/XSS Injection Detection configuration.
  5. Save the configuration.

SQL/XSS Injection Detection configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

SQL

SQL Injection Detection

Enable/disable SQL injection detection.

URI Detection

Enable/disable detection in the HTTP request.

Referer Detection

Enable/disable detection in the Referer header.

Cookie Detection

Enable/disable detection in the Cookie header.

Body Detection

Enable/disable detection in the HTTP Body message.

Action

  • Alert—Allow the traffic and log the event.
  • Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.

The default is alert, but we recommend you deny SQL Injection.

Severity

  • High—Log as high severity events.
  • Medium—Log as a medium severity events.
  • Low—Log as low severity events.

The default is low, but we recommend you rate this high or medium.

SQL Exception Name Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
XSS

XSS Injection Detection

Enable/disable XSS injection detection.

URI Detection

Enable/disable detection in the HTTP request.

Referer Detection

Enable/disable detection in the Referer header.

Cookie Detection

Enable/disable detection in the Cookie header.

Body Detection

Enable/disable detection in the HTTP Body message.

Action

  • Alert—Allow the traffic and log the event.
  • Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.

The default is alert, but we recommend you deny XSS Injection.

Severity

  • High—Log matches as high severity events.
  • Medium—Log matches as a medium severity events.
  • Low—Log matches as low severity events.

The default is low, but we recommend you rate this high or medium.

XSS Exception Name Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Configuring an SQL/XSS Injection Detection policy

SQL/XSS Injection Detection policies detect SQL injection and cross-site scripting (XSS) attacks. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. In an SQL injection attack, attackers craft HTTP requests that cause SQL queries to be executed directly against the web application’s database. XSS injection attacks cause a web browser to execute a client-side script.

In contrast to signature-based detection, the WAF SQL and XSS injection detector module detects SQL and XSS injection through lexical analysis, which is a complementary method and is faster.

The policy enables/disables scanpoints, the action when traffic matches signatures, and the event severity.

You can enable detection in the following scanpoints:

  • SQL Injection: URI—Analyzes content in the URI.
  • SQL Injection: Referer—Analyzes content in the HTTP Referer header.
  • SQL Injection: Cookie—Analyzes content in the HTTP Cookie header.
  • SQL Injection: Body—Analyzes content in the HTTP request body.
  • XSS Injection: URI—Analyzes content in the URI.
  • XSS Detection: Referer—Analyzes content in the HTTP Referer header.
  • XSS Detection: Cookie—Analyzes content in the HTTP Cookie header.
  • XSS Detection: Body—Analyzes content in the HTTP request body.

Header scanning is recommended. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.

Predefined SQL injection and XSS detection policies describes the predefined policies.

Predefined SQL injection and XSS detection policies

  SQL Injection XSS
Predefined Rules Detection Action Severity Detection Action Severity

High-Level-Security

All except Body SQL Injection Detection

Deny

High

All except Body XSS Injection Detection

Deny

High

Medium-Level-Security

Only SQL URI SQL Injection Detection

Deny

High

None

Alert

Low

Alert-Only

Only SQL URI SQL Injection Detection

Alert

High

None

Alert

Low

If desired, you can create user-defined policies.

Before you begin:

  • You must have Read-Write permission for Security settings.

After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.

To configure an SQL/XSS Injection Detection policy:
  1. Go to Web Application Firewall > Common Attacks Detection.
  2. Click the SQL/XSS Injection Detection tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in SQL/XSS Injection Detection configuration.
  5. Save the configuration.

SQL/XSS Injection Detection configuration

Settings Guidelines

Name

Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

After you initially save the configuration, you cannot edit the name.

SQL

SQL Injection Detection

Enable/disable SQL injection detection.

URI Detection

Enable/disable detection in the HTTP request.

Referer Detection

Enable/disable detection in the Referer header.

Cookie Detection

Enable/disable detection in the Cookie header.

Body Detection

Enable/disable detection in the HTTP Body message.

Action

  • Alert—Allow the traffic and log the event.
  • Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.

The default is alert, but we recommend you deny SQL Injection.

Severity

  • High—Log as high severity events.
  • Medium—Log as a medium severity events.
  • Low—Log as low severity events.

The default is low, but we recommend you rate this high or medium.

SQL Exception Name Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
XSS

XSS Injection Detection

Enable/disable XSS injection detection.

URI Detection

Enable/disable detection in the HTTP request.

Referer Detection

Enable/disable detection in the Referer header.

Cookie Detection

Enable/disable detection in the Cookie header.

Body Detection

Enable/disable detection in the HTTP Body message.

Action

  • Alert—Allow the traffic and log the event.
  • Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.

The default is alert, but we recommend you deny XSS Injection.

Severity

  • High—Log matches as high severity events.
  • Medium—Log matches as a medium severity events.
  • Low—Log matches as low severity events.

The default is low, but we recommend you rate this high or medium.

XSS Exception Name Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.