Fortinet white logo
Fortinet white logo

Coverage

Coverage

You can select/deselect OWASP Top 10 categories of your choice to use for vulnerability assessment during scanning. For each of the selected OWASP 10 category, you can enable specific Fuzzer modules/sub-categories to fine tune the scan as per your network requirements.

Asset Crawling Scope- This feature crawls and scans only those URLs that are on the same domain/host as the target asset. Specify the scope of crawling URLs for the target asset whether on the Same Host or Same Domain.

Note:

  • The following sub-categories are enabled by default. This setting cannot be modified.
    • A3 Sensitive Data Exposure - Information Disclosure and SSL Tests
    • A5 Broken Access Control - Forced Browsing
    • A6 Security Misconfiguration - CORS Misconfiguration, Security HTTP Headers, and Suspicious Domains
  • The Exploit Engine and Forced Browsing configurations override the scan coverage configurations in the scan result data.

Scan Flag - Configures the type of scan, Quick Scan or Full Scan (default).

Fuzzer Modules

Quick Scan

Full Scan

Cross-Site Scripting

Uses a limited set of payloads.

Uses the full set of payloads.

Server-Side Template Injection

Local/Remote File Inclusion

Open Redirection

Weak Form Password

Uses limited dictionary for brute force vulnerabilities.

Uses full dictionary for brute force vulnerabilities.

Suspicious Domains

<= 30 web domains are scanned for vulnerabilities.

All web domains found are scanned for vulnerabilities.

Information Disclosure

Extracts information on static HTML and scans for banner grabbing vulnerabilities.

Extracts information on static and rendered HTML, scans for banner grabbing vulnerabilities and secret finders using regular expressions.

Security Headers

Employs same scanning techniques for both quick and full scan.

Cross-Origin Resource Sharing Misconfiguration

Known Vulnerabilities

Detects components based on HTTP headers, HTML meta tags, HTML content, and script URLs. Additional detection of JavaScript components via their version functions.

Session Fixation

Uses HTTP library to set cookies in the request and analyze if there is a set-sookie in the response.

Uses Chromedp to set cookies in the browser and analyze its values after the request is received. Performs HTTPonly flag check for the session cookie.

SSL/TLS Tests

Employs same scanning techniques for both quick and full scan.

URL Session Token

Full scan uses better thresholds than quick scan.

NoSQL Injection

Uses basic form scan, delay checks, and database error checks.

Uses full payload scan, delay checks, and database error checks.

XML external entity (XXE) injection

Full scan detects blind vulnerabilities.

LDAP Injection

Checks error messages.

Checks error messages and performs boolean based checking.

Weak Ciphers

Uses a few checks for bad bulk ciphers only.

Uses all checks for weak algorithms (ciphers-key exchanges-hashes)

Path Traversal

Uses simple dot-slash pair checks.

Uses encoded dot-slash pairs checks.

Remote Command Execution

Uses echo commands.

Uses echo, cat, type, wget, and curl commands.

XPATH Injection

Employs same scanning techniques for both quick and full scan.

SQL Injection

Processes a maximum of 100 requests.

Boolean based blind SQL Injection

Processes unlimited requests.

Boolean and time based blind SQL Injection

ORM Injection -

Processes a maximum of 100 requests.

Boolean based blind SQL Injection

Processes unlimited requests.

Boolean and time based blind SQL Injection

Expression Language (EL) / Object Graph Navigation Library (OGNL) Injection

Detects by computing the product of two random numbers.

Detects by computing the product of two random numbers.

Detects blind injection.

Detects escalation of vulnerability to RCE.

IDOR

NA

Verifies broken access control between two logged-in credentials.

Asynchronous (fetch, XHR) POST requests with parameters and API calls must be accessible only by the session authorizing the original request.

Migitation against brute force attacks

Detects if the target has a protection for brute-force attacks.

Lack of session invalidation upon logout and session timeout

Detects insufficient inactivity session expiration (idle timeout of 15 minutes) and insufficient session invalidation on user logout (user logout function invalidates user session).

ACM

NA

Validates if the SSTI vulnerabilities identified in an asset can lead to RCE attacks.

Unrestricted file upload

Uploads different file extensions to the target web server with less payloads.

Uploads different file extensions to the target web server with additional payloads.

HTTP request smuggling

Content-Length and Transfer-Encoding variant payloads are used for scanning.

Additional variant payloads are used for scanning.

Excessive authentication attempts

Uses brute force by continuously sending random usernames and passwords to scans for improper restriction of excessive authentication attempts.

Authentication bypass

Detects malicious attacks using simple HTTP request.

Detects malicious attacks using the Google Chrome browser.

Web cache poisoning

Detects malicious attacks using simple HTTP request.

Detects malicious attacks using the Google Chrome browser.

Code injection

Scans form and query via the golang HTTP client.

Scans header, cookie, form and query via Google Chrome browser..

Coverage

Coverage

You can select/deselect OWASP Top 10 categories of your choice to use for vulnerability assessment during scanning. For each of the selected OWASP 10 category, you can enable specific Fuzzer modules/sub-categories to fine tune the scan as per your network requirements.

Asset Crawling Scope- This feature crawls and scans only those URLs that are on the same domain/host as the target asset. Specify the scope of crawling URLs for the target asset whether on the Same Host or Same Domain.

Note:

  • The following sub-categories are enabled by default. This setting cannot be modified.
    • A3 Sensitive Data Exposure - Information Disclosure and SSL Tests
    • A5 Broken Access Control - Forced Browsing
    • A6 Security Misconfiguration - CORS Misconfiguration, Security HTTP Headers, and Suspicious Domains
  • The Exploit Engine and Forced Browsing configurations override the scan coverage configurations in the scan result data.

Scan Flag - Configures the type of scan, Quick Scan or Full Scan (default).

Fuzzer Modules

Quick Scan

Full Scan

Cross-Site Scripting

Uses a limited set of payloads.

Uses the full set of payloads.

Server-Side Template Injection

Local/Remote File Inclusion

Open Redirection

Weak Form Password

Uses limited dictionary for brute force vulnerabilities.

Uses full dictionary for brute force vulnerabilities.

Suspicious Domains

<= 30 web domains are scanned for vulnerabilities.

All web domains found are scanned for vulnerabilities.

Information Disclosure

Extracts information on static HTML and scans for banner grabbing vulnerabilities.

Extracts information on static and rendered HTML, scans for banner grabbing vulnerabilities and secret finders using regular expressions.

Security Headers

Employs same scanning techniques for both quick and full scan.

Cross-Origin Resource Sharing Misconfiguration

Known Vulnerabilities

Detects components based on HTTP headers, HTML meta tags, HTML content, and script URLs. Additional detection of JavaScript components via their version functions.

Session Fixation

Uses HTTP library to set cookies in the request and analyze if there is a set-sookie in the response.

Uses Chromedp to set cookies in the browser and analyze its values after the request is received. Performs HTTPonly flag check for the session cookie.

SSL/TLS Tests

Employs same scanning techniques for both quick and full scan.

URL Session Token

Full scan uses better thresholds than quick scan.

NoSQL Injection

Uses basic form scan, delay checks, and database error checks.

Uses full payload scan, delay checks, and database error checks.

XML external entity (XXE) injection

Full scan detects blind vulnerabilities.

LDAP Injection

Checks error messages.

Checks error messages and performs boolean based checking.

Weak Ciphers

Uses a few checks for bad bulk ciphers only.

Uses all checks for weak algorithms (ciphers-key exchanges-hashes)

Path Traversal

Uses simple dot-slash pair checks.

Uses encoded dot-slash pairs checks.

Remote Command Execution

Uses echo commands.

Uses echo, cat, type, wget, and curl commands.

XPATH Injection

Employs same scanning techniques for both quick and full scan.

SQL Injection

Processes a maximum of 100 requests.

Boolean based blind SQL Injection

Processes unlimited requests.

Boolean and time based blind SQL Injection

ORM Injection -

Processes a maximum of 100 requests.

Boolean based blind SQL Injection

Processes unlimited requests.

Boolean and time based blind SQL Injection

Expression Language (EL) / Object Graph Navigation Library (OGNL) Injection

Detects by computing the product of two random numbers.

Detects by computing the product of two random numbers.

Detects blind injection.

Detects escalation of vulnerability to RCE.

IDOR

NA

Verifies broken access control between two logged-in credentials.

Asynchronous (fetch, XHR) POST requests with parameters and API calls must be accessible only by the session authorizing the original request.

Migitation against brute force attacks

Detects if the target has a protection for brute-force attacks.

Lack of session invalidation upon logout and session timeout

Detects insufficient inactivity session expiration (idle timeout of 15 minutes) and insufficient session invalidation on user logout (user logout function invalidates user session).

ACM

NA

Validates if the SSTI vulnerabilities identified in an asset can lead to RCE attacks.

Unrestricted file upload

Uploads different file extensions to the target web server with less payloads.

Uploads different file extensions to the target web server with additional payloads.

HTTP request smuggling

Content-Length and Transfer-Encoding variant payloads are used for scanning.

Additional variant payloads are used for scanning.

Excessive authentication attempts

Uses brute force by continuously sending random usernames and passwords to scans for improper restriction of excessive authentication attempts.

Authentication bypass

Detects malicious attacks using simple HTTP request.

Detects malicious attacks using the Google Chrome browser.

Web cache poisoning

Detects malicious attacks using simple HTTP request.

Detects malicious attacks using the Google Chrome browser.

Code injection

Scans form and query via the golang HTTP client.

Scans header, cookie, form and query via Google Chrome browser..