Web Vulnerability Scanner
From the Web Application Firewall > Web Vulnerability Scanner sub-menu, you can access a set of automated tools which perform black box test on web applications, to look for security vulnerabilities such as Cross-site scripting, SQL injection, command injection, source code disclosure and insecure server configuration.
Scanner
The figure shows the plug-in of the scanner which is configurable in UI/CLI. The user can select which type of vulnerabilities included in each scan. There are 5 types of signatures in our scanner:
- The mime signatures warn about server responses that have an interesting mime. For example anything that is presented as php-source will likely be interesting
- The files signatures will use the content to determine if a response is an interesting file. For example, a SVN file.
- The messages signatures look for interesting server messages. Most are based on errors, such as caused by incorrect SQL queries or PHP execution failures.
- The apps signatures will help to find pages and applications who's functionality is a security risk by default. For example, phpinfo() pages that leak information or CMS admin interfaces.
- The context signatures are linked to injection tests. They look for strings that are relevant to the current injection test and help to highlight potential vulnerabilities.
A report will be generated after a web vulnerability scan is completed. FortiADC will generate a WAF profile based on the results of the scan report. For example, if the scan report detects an SQL injection vulnerability, a WAF profile containing SQL/XSS Injection Detection settings will be generated and attached to the VIP to protect servers behind VS.
WVS Task
Configuring WVS Task
1. Go to Web Application Firewall > Web Vulnerability Scanner
2. By default you will end up on the WVS Task tab.
3. Click Create New on the top right. It will open a dialogue box. See the figure WVS Task dialogue below.
4. Complete the configuration as described the table below.
5. Save the configuration.
6. Choose the WVS Task to be scanned by clicking the diamond in the row. It will turn into a square as it scans, and the Task Status will read "Scanning..." or "In Queue" or "Stopped." See the figure Run/Stop below.
7. A report will be generated and WVS Tool will summarize the results in HTML format, zip and store in HD. See Scan History
Notes
- Only one task can run at the same time. If multiple tasks are started, others are added to task queue to wait to run. See the figure Status below.
- If a task is already running it can't be trigger again.
- WVS-task only works for ipv4 pool. ipv6 is not supported.
- It will send a scan according to the pool member port.
- If pool member health-check fails, it will still try to send scan.
- It will not send a scan when:
- there's no pool member.
- pool member port is 0.
- pool member status is disable/maintain
- The tasks are limited to 50.
- It does not support HTTP2
- In HA, only the primary can start the scanning; it will be triggered only if it is primary.
- Crawl limit. If, in one task, the refer pool contains multiple real servers, the crawl limits will be dispatched to all the real servers. For example, if the crawl limit is 3000, with 3 servers, the ADC will send 1000 requests to each server.
Settings | Guidelines |
---|---|
Name |
Configuration name. Valid characters are After you initially save the configuration, you cannot edit the name. |
Scheduler |
Select a scheduler from the schedule group. To configure a scheduler, go to Shared Resources > Schedule Group. See Schedule Group |
Profile |
Select a profile. Profiles are configured under WVS Profile, the tab to the right of WVS task. See Configuring a WVS Profile |
Settings | Guidelines |
---|---|
Name |
Name of the task |
Task Action |
Square—Task Status "Scanning..." in process. This task is being scanned. Blank—Task Status "In Queue," waiting to be scanned. Diamond—Task Status "Stopped." |
Report Created Time |
Time the task was created. |
|
Edit Delete Clone |