Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiDAST 23.3.0 User Guide
    23.3.0
    24.3.a
    24.3.0
    24.2.0
    24.1.0
    23.4.0
    23.3.a
    23.3.0
    23.2.0
    23.1.a
    23.1.0

    Coverage

    Coverage

    You can select/deselect OWASP Top 10 categories of your choice to use for vulnerability assessment during scanning. For each of the selected OWASP 10 category, you can enable specific Fuzzer modules/sub-categories to fine tune the scan as per your network requirements.

    Asset Crawling Scope- This feature crawls and scans only those URLs that are on the same domain/host as the target asset. Specify the scope of crawling URLs for the target asset whether on the Same Host or Same Domain.

    Note:

    • The following sub-categories are enabled by default. This setting cannot be modified.
      • A3 Sensitive Data Exposure - Information Disclosure and SSL Tests
      • A5 Broken Access Control - Forced Browsing
      • A6 Security Misconfiguration - CORS Misconfiguration, Security HTTP Headers, and Suspicious Domains
    • The Exploit Engine and Forced Browsing configurations override the scan coverage configurations in the scan result data.

    Scan Flag - Configures the type of scan, Quick Scan or Full Scan (default).

    Fuzzer Modules

    Quick Scan

    Full Scan

    Cross-Site Scripting

    		 Uses a limited set of payloads.

    Uses the full set of payloads.

    Server-Side Template Injection

    Local/Remote File Inclusion

    Open Redirection

    Weak Form Password

    Uses limited dictionary for brute force vulnerabilities.

    Uses full dictionary for brute force vulnerabilities.

    Suspicious Domains

    <= 30 web domains are scanned for vulnerabilities.

    All web domains found are scanned for vulnerabilities.

    Information Disclosure

    Extracts information on static HTML and scans for banner grabbing vulnerabilities.

    Extracts information on static and rendered HTML, scans for banner grabbing vulnerabilities and secret finders using regular expressions.

    Security Headers

    Employs same scanning techniques for both quick and full scan.

    Cross-Origin Resource Sharing Misconfiguration

    Known Vulnerabilities

    		 Detects components based on HTTP headers, HTML meta tags, HTML content, and script URLs. Additional detection of JavaScript components via their version functions.

    Session Fixation

    Uses HTTP library to set cookies in the request and analyze if there is a set-sookie in the response.

    Uses Chromedp to set cookies in the browser and analyze its values after the request is received. Performs HTTPonly flag check for the session cookie.

    SSL/TLS Tests

    Employs same scanning techniques for both quick and full scan.

    URL Session Token

    Full scan uses better thresholds than quick scan.

    NoSQL Injection

    Uses basic form scan, delay checks, and database error checks.

    Uses full payload scan, delay checks, and database error checks.

    XML external entity (XXE) injection

    Full scan detects blind vulnerabilities.

    LDAP Injection

    Checks error messages.

    Checks error messages and performs boolean based checking.

    Weak Ciphers

    Uses a few checks for bad bulk ciphers only.

    Uses all checks for weak algorithms (ciphers-key exchanges-hashes)

    Path Traversal

    Uses simple dot-slash pair checks.

    Uses encoded dot-slash pairs checks.

    Remote Command Execution

    Uses echo commands.

    Uses echo, cat, type, wget, and curl commands.

    XPATH Injection

    Employs same scanning techniques for both quick and full scan.

    SQL Injection

    Processes a maximum of 100 requests.

    Boolean based blind SQL Injection

    Processes unlimited requests.

    Boolean and time based blind SQL Injection

    ORM Injection -

    Processes a maximum of 100 requests.

    Boolean based blind SQL Injection

    Processes unlimited requests.

    Boolean and time based blind SQL Injection

    Expression Language (EL) / Object Graph Navigation Library (OGNL) Injection

    Detects by computing the product of two random numbers.

    Detects by computing the product of two random numbers.

    Detects blind injection.

    Detects escalation of vulnerability to RCE.

    IDOR

    NA

    Verifies broken access control between two logged-in credentials.

    Asynchronous (fetch, XHR) POST requests with parameters and API calls must be accessible only by the session authorizing the original request.

    Migitation against brute force attacks

    Detects if the target has a protection for brute-force attacks.

    Lack of session invalidation upon logout and session timeout

    Detects insufficient inactivity session expiration (idle timeout of 15 minutes) and insufficient session invalidation on user logout (user logout function invalidates user session).

    ACM

    NA

    Validates if the SSTI vulnerabilities identified in an asset can lead to RCE attacks.

    Unrestricted file upload

    Uploads different file extensions to the target web server with less payloads.

    Uploads different file extensions to the target web server with additional payloads.

    HTTP request smuggling

    Content-Length and Transfer-Encoding variant payloads are used for scanning.

    Additional variant payloads are used for scanning.

    Excessive authentication attempts

    Uses brute force by continuously sending random usernames and passwords to scans for improper restriction of excessive authentication attempts.

    Authentication bypass

    Detects malicious attacks using simple HTTP request.

    Detects malicious attacks using the Google Chrome browser.

    Web cache poisoning

    Detects malicious attacks using simple HTTP request.

    Detects malicious attacks using the Google Chrome browser.

    Code injection

    Scans form and query via the golang HTTP client.

    Scans header, cookie, form and query via Google Chrome browser..

    Malware detection

    Employs same scanning techniques for both quick and full scan.

    Clickjacking

    Scans for x-frame-options.

    Target is loaded in an iframe.
    Previous
    Next

    Coverage

    Coverage

    You can select/deselect OWASP Top 10 categories of your choice to use for vulnerability assessment during scanning. For each of the selected OWASP 10 category, you can enable specific Fuzzer modules/sub-categories to fine tune the scan as per your network requirements.

    Asset Crawling Scope- This feature crawls and scans only those URLs that are on the same domain/host as the target asset. Specify the scope of crawling URLs for the target asset whether on the Same Host or Same Domain.

    Note:

    • The following sub-categories are enabled by default. This setting cannot be modified.
      • A3 Sensitive Data Exposure - Information Disclosure and SSL Tests
      • A5 Broken Access Control - Forced Browsing
      • A6 Security Misconfiguration - CORS Misconfiguration, Security HTTP Headers, and Suspicious Domains
    • The Exploit Engine and Forced Browsing configurations override the scan coverage configurations in the scan result data.

    Scan Flag - Configures the type of scan, Quick Scan or Full Scan (default).

    Fuzzer Modules

    Quick Scan

    Full Scan

    Cross-Site Scripting

    		 Uses a limited set of payloads.

    Uses the full set of payloads.

    Server-Side Template Injection

    Local/Remote File Inclusion

    Open Redirection

    Weak Form Password

    Uses limited dictionary for brute force vulnerabilities.

    Uses full dictionary for brute force vulnerabilities.

    Suspicious Domains

    <= 30 web domains are scanned for vulnerabilities.

    All web domains found are scanned for vulnerabilities.

    Information Disclosure

    Extracts information on static HTML and scans for banner grabbing vulnerabilities.

    Extracts information on static and rendered HTML, scans for banner grabbing vulnerabilities and secret finders using regular expressions.

    Security Headers

    Employs same scanning techniques for both quick and full scan.

    Cross-Origin Resource Sharing Misconfiguration

    Known Vulnerabilities

    		 Detects components based on HTTP headers, HTML meta tags, HTML content, and script URLs. Additional detection of JavaScript components via their version functions.

    Session Fixation

    Uses HTTP library to set cookies in the request and analyze if there is a set-sookie in the response.

    Uses Chromedp to set cookies in the browser and analyze its values after the request is received. Performs HTTPonly flag check for the session cookie.

    SSL/TLS Tests

    Employs same scanning techniques for both quick and full scan.

    URL Session Token

    Full scan uses better thresholds than quick scan.

    NoSQL Injection

    Uses basic form scan, delay checks, and database error checks.

    Uses full payload scan, delay checks, and database error checks.

    XML external entity (XXE) injection

    Full scan detects blind vulnerabilities.

    LDAP Injection

    Checks error messages.

    Checks error messages and performs boolean based checking.

    Weak Ciphers

    Uses a few checks for bad bulk ciphers only.

    Uses all checks for weak algorithms (ciphers-key exchanges-hashes)

    Path Traversal

    Uses simple dot-slash pair checks.

    Uses encoded dot-slash pairs checks.

    Remote Command Execution

    Uses echo commands.

    Uses echo, cat, type, wget, and curl commands.

    XPATH Injection

    Employs same scanning techniques for both quick and full scan.

    SQL Injection

    Processes a maximum of 100 requests.

    Boolean based blind SQL Injection

    Processes unlimited requests.

    Boolean and time based blind SQL Injection

    ORM Injection -

    Processes a maximum of 100 requests.

    Boolean based blind SQL Injection

    Processes unlimited requests.

    Boolean and time based blind SQL Injection

    Expression Language (EL) / Object Graph Navigation Library (OGNL) Injection

    Detects by computing the product of two random numbers.

    Detects by computing the product of two random numbers.

    Detects blind injection.

    Detects escalation of vulnerability to RCE.

    IDOR

    NA

    Verifies broken access control between two logged-in credentials.

    Asynchronous (fetch, XHR) POST requests with parameters and API calls must be accessible only by the session authorizing the original request.

    Migitation against brute force attacks

    Detects if the target has a protection for brute-force attacks.

    Lack of session invalidation upon logout and session timeout

    Detects insufficient inactivity session expiration (idle timeout of 15 minutes) and insufficient session invalidation on user logout (user logout function invalidates user session).

    ACM

    NA

    Validates if the SSTI vulnerabilities identified in an asset can lead to RCE attacks.

    Unrestricted file upload

    Uploads different file extensions to the target web server with less payloads.

    Uploads different file extensions to the target web server with additional payloads.

    HTTP request smuggling

    Content-Length and Transfer-Encoding variant payloads are used for scanning.

    Additional variant payloads are used for scanning.

    Excessive authentication attempts

    Uses brute force by continuously sending random usernames and passwords to scans for improper restriction of excessive authentication attempts.

    Authentication bypass

    Detects malicious attacks using simple HTTP request.

    Detects malicious attacks using the Google Chrome browser.

    Web cache poisoning

    Detects malicious attacks using simple HTTP request.

    Detects malicious attacks using the Google Chrome browser.

    Code injection

    Scans form and query via the golang HTTP client.

    Scans header, cookie, form and query via Google Chrome browser..

    Malware detection

    Employs same scanning techniques for both quick and full scan.

    Clickjacking

    Scans for x-frame-options.

    Target is loaded in an iframe.
    Previous
    Next