Fortinet Document Library

Version:

Version:


Table of Contents

Download PDF
Copy Link

What is FortiPenTest

FortiPenTest is a cloud enabled service that performs vulnerability assessment and pentration testing through an intensive process of comprehensive and criteria based automated scanning and analysis. It adopts an organised technical approach of assessing your web applications running in an HTTP/HTTPS environment, to identify loopholes and vulnerabilities. Penetration testing (pen-testing) is the process to explore and exploit security vulnerabilities in an application using various malicious techniques to discover security gaps; securing your network and assisting in suitable remediation steps for the identified susceptibilities.

The goal of FortiPenTest is to provide an easy-to-understand and non-intrusive evaluation of the security posture of your web applications. The outcome is an accurate and detailed vulnerability assessment report with a high vulnerability detection rate that facilitates appropriate measures for remediation and further network penetration testing.

This diagram lays down the building blocks of the FortiPenTest vulnerability assessment and penetration testing service.

 

FortiPenTest uses web Crawler and Fuzzer techniques to detect and scan your web applications for vulnerability assessment. The Common Vulnerability Scoring System (CVSS) and Open Web Application Security Project (OWASP) Top 10 are employed to assess the severity of vulnerabilities and identify security risks to web applications. The vulnerability assessment result is presented in a comprehensive dashboard and customized, downloadable reports with graphical representation and visualization of statistics.

Crawler Module

The web Crawler systematically crawls the web server asset and locates paths that are inputs to the fuzzer modules. It uses the quick and full scan modes. These modes are configurable, see Configuring the Scanner.

A quick scan is fast mode scanning that provides vulnerability assessment based on limited testing/scraping of the static pages of your asset. These pages are scraped by searching and extracting URLs from HTML tags and attributes. For example, the following tag which defines a hyperlink with href attribute.

<a href=”http://example.com”>

A Full scan provides vulnerability assessment based on complete testing/scraping of the static and dynamic pages of your asset. The Crawler also performs browsing simulation such as clicking of buttons, links, and images to test the interaction between the dynamic pages and the browser. This mode of vulnerability assessment takes longer.

Crawler Timeout

The Crawler times out after 5 hours, that is, it stops crawling your asset after 5 hours. If your asset is very large, you might obtain only partial scanning result.

Inconsistent Crawler Result

The following are some reasons that might cause inconsistent crawling results.

  • Dynamic contents: Forums and access logging.
  • Redirections: HTTP redirects to HTTPS and redirection to WWW.
  • Inconsistent response time: Presence of too much content affecting the response and loading time.
  • Intermediate third party security product: Web Application Firewall (WAF) blocking some requests.

Fuzzer Module

This table describes the various Fuzzer modules used for vulnerability scanning.

OWASP Top 10

Vulnerability Description & Fuzzer Modules

A1 - Injection

Injection faults, such as SQL, NoSQL, OS, and LDAP injection, happen when untrusted or hostile data is sent to an interpreter as part of a command or query. The interpreter executes this data through unintended commands or accessing data without proper authorization. This can lead to data loss or a complete host takeover.

 

Remote Code Execution - Scans if the provided URL together with other scan parameters are vulnerable to exploits due to command injection faults.

Server-Side Template Injection - Scans if the web application uses server-side template and if injecting malicious payload into the template can be executed.

File inclusion – Scans if the provided URL is vulnerable to dynamic file inclusion which occurs when the target contains procedures that use user-supplied file path input without proper validation.

LDAP Injection - Scans if the web application is vulnerable to LDAP injection attacks that occur when the LDAP statements based on user input are modified using a local proxy.

NoSQL Injection - Scans if the web application is vulnerable to malicious queries aimed to modify/alter the NoSQL database when the application communicates directly with the database.

SQL Injection - Scans if the web application is vulnerable to malicious SQL queries through unsanitized user input exposing sensitive information.

XPATH Injection - Scans if the web application is vulnerable to malicious Xpath queries through unsanitized user input exposing sensitive information.

A2 - Broken Authentication

The authentication and session management functions may have implementation flaws that make web applications vulnerable to compromised passwords or session tokens. This allows attackers to impersonate other users' identities.

 

URL Session Token - Scans if the session tokens in the provided URL are vulnerable to leaks and uses secure methods to store session tokens.

Session Fixation - Scans if the value of the session cookie can be overwritten with an existent session ID. It ensures that a new session cookie is generated upon authentication.

A3 - Sensitive Data Exposure

Web applications are vulnerable to sensitive data exposure, that is, revealing information to parties that are not supposed to have access to it. This may lead to data theft or modification of inadequately protected data.

This category anayzes in detail the global configuration settings impacting security as identified in the A6 – Security Misconfiguration category.

 

Information Disclosure - Scans and identifies sensitive information such as passwords, phone numbers, email addresses, secret finders using regular expressions, and banner grabbing vulnerabilities. It extracts information on static and rendered HTML pages.

SSL tests - Scans if the provided URL together with other scan parameters has a valid SSL/TLS-enabled version and if so, whether there is an automatic HTTP to HTTPS redirection when a user visits the HTTP version of the website.

Weak Ciphers - Scans for vulnerable cipher suites that do not provide sufficient security to web applications.

A4 - XML External Entities

The XML External Entity (XXE) attack occurs when an inadequately configured XML parser process tainted external entities within an XML document leading to denial-of-service (DOS) attacks, remote code execution, and disclosure of sensitive information. A blind XXE attack uses remote or out-of-band (OOB) network interactions to extract information from web applications. The Command and Control (C2) server is implemented to detect these vulnerabilities.

 

XML external entity (XXE) injection - Scans if the web application is vulnerable to XXE injections by validating and filtering the XML documents before processing.

A4 2010 - Upload Insecure Files

Uploaded files are rendered insecure when an internal file, directory, or database key are exposed. Without appropriate checks, attackers can access unauthorized data.

 

Insecure file upload and manipulation via WebDAV - Scans resources and properties of a particular directory to know if it is possible to obtain a recursive directory listing of all the files and folders from the provided URL using WebDAV. WebDAV is disabled when not in use or directory browsing permissions are restricted.

A5 - Broken Access Control

Broken access control vulnerabilities arise primarily because the rights of authenticated users are not properly enforced. This vulnerability allows access to unauthorized information, such as user account details, sensitive files, or the ability to modify user data and access rights.

 

Path Traversal - Scans if the files and directories can be accessed outside the web root folder on the target web server via a controlled web application variable.

Forced Browsing - Scans if the resources that are not referenced by the web application can be accessed leading to unauthorized information gathering.

A6 – Security Misconfiguration

Security misconfiguration is the most frequently observed flaw and is normally due to insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. All operating systems, frameworks, libraries, and applications must have secure configurations and should be timely patched/upgraded. These vulnerabilities lead to unauthorized access to system data/functionality or a complete system compromise.

 

CORS misconfiguration – Scans if the provided URL allows Cross-Origin Resource Sharing. CORS is a browser mechanism which enables controlled access to resources located outside of a given domain. Misconfiguration may allow attackers to perform cross-domain based attacks.

Security HTTP Headers - Scans if the HTTP response has specific headers to increase the security of your application.

Weak Password – Scans if the provided URL is subjected to authentication bypass using a dictionary bruteforce attack.

Suspicious Domains – Scans If the provided URL is referencing to domains which are either expired or not registered.

Server Side Request Forgery - Scans if the HTTP requests coming from server-side applications can be controlled and redirected to a malicious web page. The C2 server is implemented to detect these vulnerabilities.

A7 – Cross Site Scripting

Web application is vulnerable to Cross-Site Scripting (XSS) when it contains unsanitized data in a new web page or in an user-supplied data to an existing web page using a browser API that can create HTML or JavaScript. The attackers can execute scripts to exploit all three forms of XSS namely: Reflected, Stored, and DOM, in your browser to hijack user sessions, deface web sites, or redirect you to malicious sites.

 

XSS (Cross site scripting) - Scans for XSS vulnerabilities by sending executable scripts (payloads) in the form of specially crafted user inputs to a target URL. If the scripts end up being executed, the target is considered to be vulnerable.

A8 - Insecure Deserialization

Insecure deserialization vulnerabilities lead to multiple flaws such as remote code execution, replay attacks, injection attacks, and privilege escalation attacks. This enables an attacker to manipulate serialized objects and pass harmful data into the web application.

 

Untrusted Data Deserialization - Scans for vulnerabilities related to deserialization of Untrusted PHP/Java data. Serialized objects are not accepted from untrusted sources.

A9 - Using Components with Known Vulnerabilities

Development components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. When any vulnerability in these components is exploited, it can lead to major data loss or server hijack. Applications and APIs by employing components with known vulnerabilities tend to weaken application defences and enable various attacks.

 

Known vulnerability - Scans if the asset (provided URL together with other scan parameters) is using such components that are known to have vulnerabilities. For components with Common Platform Enumeration (CPE) values, this module also queries the National Vulnerability Database (NVD) to find all reported vulnerabilities for each component. Each vulnerability in NVD is associated with a unique Common Vulnerabilities and Exposure (CVE) ID.

A10 2013 – Unvalidated Redirects and Forwards

Web applications commonly redirect and forward you to other destination pages (websites and applications) using untrusted/invalidated data. In the absence of validation, attackers can exploit and redirect you to phishing or malware sites, or use forwards to access unauthorized pages.

 

Open Redirect – Scans if the provided URL accepts a user controlled input that specifies a link to an external site, and uses that link in a redirect.

 

Some of the key features of FortiPenTest are:

  • The web application scanning is comprehensive and provides accurate vulnerability assessment for a complete view of security risks.
  • The automated scanning process allows you to simply and swiftly evaluate all of your web applications, reducing manual intervention.
  • The scanning process is completely non-intrusive to prevent inactivity and disruptions; you can include additional headers to be included in the scan.
  • A comprehensive dashboard as a combination of interactive chart and list based statistics. The dashboard provides detailed insight into the scanned web applications.

Note: The term asset used henceforth in this document implies the web site that you are scanning.

What is FortiPenTest

FortiPenTest is a cloud enabled service that performs vulnerability assessment and pentration testing through an intensive process of comprehensive and criteria based automated scanning and analysis. It adopts an organised technical approach of assessing your web applications running in an HTTP/HTTPS environment, to identify loopholes and vulnerabilities. Penetration testing (pen-testing) is the process to explore and exploit security vulnerabilities in an application using various malicious techniques to discover security gaps; securing your network and assisting in suitable remediation steps for the identified susceptibilities.

The goal of FortiPenTest is to provide an easy-to-understand and non-intrusive evaluation of the security posture of your web applications. The outcome is an accurate and detailed vulnerability assessment report with a high vulnerability detection rate that facilitates appropriate measures for remediation and further network penetration testing.

This diagram lays down the building blocks of the FortiPenTest vulnerability assessment and penetration testing service.

 

FortiPenTest uses web Crawler and Fuzzer techniques to detect and scan your web applications for vulnerability assessment. The Common Vulnerability Scoring System (CVSS) and Open Web Application Security Project (OWASP) Top 10 are employed to assess the severity of vulnerabilities and identify security risks to web applications. The vulnerability assessment result is presented in a comprehensive dashboard and customized, downloadable reports with graphical representation and visualization of statistics.

Crawler Module

The web Crawler systematically crawls the web server asset and locates paths that are inputs to the fuzzer modules. It uses the quick and full scan modes. These modes are configurable, see Configuring the Scanner.

A quick scan is fast mode scanning that provides vulnerability assessment based on limited testing/scraping of the static pages of your asset. These pages are scraped by searching and extracting URLs from HTML tags and attributes. For example, the following tag which defines a hyperlink with href attribute.

<a href=”http://example.com”>

A Full scan provides vulnerability assessment based on complete testing/scraping of the static and dynamic pages of your asset. The Crawler also performs browsing simulation such as clicking of buttons, links, and images to test the interaction between the dynamic pages and the browser. This mode of vulnerability assessment takes longer.

Crawler Timeout

The Crawler times out after 5 hours, that is, it stops crawling your asset after 5 hours. If your asset is very large, you might obtain only partial scanning result.

Inconsistent Crawler Result

The following are some reasons that might cause inconsistent crawling results.

  • Dynamic contents: Forums and access logging.
  • Redirections: HTTP redirects to HTTPS and redirection to WWW.
  • Inconsistent response time: Presence of too much content affecting the response and loading time.
  • Intermediate third party security product: Web Application Firewall (WAF) blocking some requests.

Fuzzer Module

This table describes the various Fuzzer modules used for vulnerability scanning.

OWASP Top 10

Vulnerability Description & Fuzzer Modules

A1 - Injection

Injection faults, such as SQL, NoSQL, OS, and LDAP injection, happen when untrusted or hostile data is sent to an interpreter as part of a command or query. The interpreter executes this data through unintended commands or accessing data without proper authorization. This can lead to data loss or a complete host takeover.

 

Remote Code Execution - Scans if the provided URL together with other scan parameters are vulnerable to exploits due to command injection faults.

Server-Side Template Injection - Scans if the web application uses server-side template and if injecting malicious payload into the template can be executed.

File inclusion – Scans if the provided URL is vulnerable to dynamic file inclusion which occurs when the target contains procedures that use user-supplied file path input without proper validation.

LDAP Injection - Scans if the web application is vulnerable to LDAP injection attacks that occur when the LDAP statements based on user input are modified using a local proxy.

NoSQL Injection - Scans if the web application is vulnerable to malicious queries aimed to modify/alter the NoSQL database when the application communicates directly with the database.

SQL Injection - Scans if the web application is vulnerable to malicious SQL queries through unsanitized user input exposing sensitive information.

XPATH Injection - Scans if the web application is vulnerable to malicious Xpath queries through unsanitized user input exposing sensitive information.

A2 - Broken Authentication

The authentication and session management functions may have implementation flaws that make web applications vulnerable to compromised passwords or session tokens. This allows attackers to impersonate other users' identities.

 

URL Session Token - Scans if the session tokens in the provided URL are vulnerable to leaks and uses secure methods to store session tokens.

Session Fixation - Scans if the value of the session cookie can be overwritten with an existent session ID. It ensures that a new session cookie is generated upon authentication.

A3 - Sensitive Data Exposure

Web applications are vulnerable to sensitive data exposure, that is, revealing information to parties that are not supposed to have access to it. This may lead to data theft or modification of inadequately protected data.

This category anayzes in detail the global configuration settings impacting security as identified in the A6 – Security Misconfiguration category.

 

Information Disclosure - Scans and identifies sensitive information such as passwords, phone numbers, email addresses, secret finders using regular expressions, and banner grabbing vulnerabilities. It extracts information on static and rendered HTML pages.

SSL tests - Scans if the provided URL together with other scan parameters has a valid SSL/TLS-enabled version and if so, whether there is an automatic HTTP to HTTPS redirection when a user visits the HTTP version of the website.

Weak Ciphers - Scans for vulnerable cipher suites that do not provide sufficient security to web applications.

A4 - XML External Entities

The XML External Entity (XXE) attack occurs when an inadequately configured XML parser process tainted external entities within an XML document leading to denial-of-service (DOS) attacks, remote code execution, and disclosure of sensitive information. A blind XXE attack uses remote or out-of-band (OOB) network interactions to extract information from web applications. The Command and Control (C2) server is implemented to detect these vulnerabilities.

 

XML external entity (XXE) injection - Scans if the web application is vulnerable to XXE injections by validating and filtering the XML documents before processing.

A4 2010 - Upload Insecure Files

Uploaded files are rendered insecure when an internal file, directory, or database key are exposed. Without appropriate checks, attackers can access unauthorized data.

 

Insecure file upload and manipulation via WebDAV - Scans resources and properties of a particular directory to know if it is possible to obtain a recursive directory listing of all the files and folders from the provided URL using WebDAV. WebDAV is disabled when not in use or directory browsing permissions are restricted.

A5 - Broken Access Control

Broken access control vulnerabilities arise primarily because the rights of authenticated users are not properly enforced. This vulnerability allows access to unauthorized information, such as user account details, sensitive files, or the ability to modify user data and access rights.

 

Path Traversal - Scans if the files and directories can be accessed outside the web root folder on the target web server via a controlled web application variable.

Forced Browsing - Scans if the resources that are not referenced by the web application can be accessed leading to unauthorized information gathering.

A6 – Security Misconfiguration

Security misconfiguration is the most frequently observed flaw and is normally due to insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. All operating systems, frameworks, libraries, and applications must have secure configurations and should be timely patched/upgraded. These vulnerabilities lead to unauthorized access to system data/functionality or a complete system compromise.

 

CORS misconfiguration – Scans if the provided URL allows Cross-Origin Resource Sharing. CORS is a browser mechanism which enables controlled access to resources located outside of a given domain. Misconfiguration may allow attackers to perform cross-domain based attacks.

Security HTTP Headers - Scans if the HTTP response has specific headers to increase the security of your application.

Weak Password – Scans if the provided URL is subjected to authentication bypass using a dictionary bruteforce attack.

Suspicious Domains – Scans If the provided URL is referencing to domains which are either expired or not registered.

Server Side Request Forgery - Scans if the HTTP requests coming from server-side applications can be controlled and redirected to a malicious web page. The C2 server is implemented to detect these vulnerabilities.

A7 – Cross Site Scripting

Web application is vulnerable to Cross-Site Scripting (XSS) when it contains unsanitized data in a new web page or in an user-supplied data to an existing web page using a browser API that can create HTML or JavaScript. The attackers can execute scripts to exploit all three forms of XSS namely: Reflected, Stored, and DOM, in your browser to hijack user sessions, deface web sites, or redirect you to malicious sites.

 

XSS (Cross site scripting) - Scans for XSS vulnerabilities by sending executable scripts (payloads) in the form of specially crafted user inputs to a target URL. If the scripts end up being executed, the target is considered to be vulnerable.

A8 - Insecure Deserialization

Insecure deserialization vulnerabilities lead to multiple flaws such as remote code execution, replay attacks, injection attacks, and privilege escalation attacks. This enables an attacker to manipulate serialized objects and pass harmful data into the web application.

 

Untrusted Data Deserialization - Scans for vulnerabilities related to deserialization of Untrusted PHP/Java data. Serialized objects are not accepted from untrusted sources.

A9 - Using Components with Known Vulnerabilities

Development components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. When any vulnerability in these components is exploited, it can lead to major data loss or server hijack. Applications and APIs by employing components with known vulnerabilities tend to weaken application defences and enable various attacks.

 

Known vulnerability - Scans if the asset (provided URL together with other scan parameters) is using such components that are known to have vulnerabilities. For components with Common Platform Enumeration (CPE) values, this module also queries the National Vulnerability Database (NVD) to find all reported vulnerabilities for each component. Each vulnerability in NVD is associated with a unique Common Vulnerabilities and Exposure (CVE) ID.

A10 2013 – Unvalidated Redirects and Forwards

Web applications commonly redirect and forward you to other destination pages (websites and applications) using untrusted/invalidated data. In the absence of validation, attackers can exploit and redirect you to phishing or malware sites, or use forwards to access unauthorized pages.

 

Open Redirect – Scans if the provided URL accepts a user controlled input that specifies a link to an external site, and uses that link in a redirect.

 

Some of the key features of FortiPenTest are:

  • The web application scanning is comprehensive and provides accurate vulnerability assessment for a complete view of security risks.
  • The automated scanning process allows you to simply and swiftly evaluate all of your web applications, reducing manual intervention.
  • The scanning process is completely non-intrusive to prevent inactivity and disruptions; you can include additional headers to be included in the scan.
  • A comprehensive dashboard as a combination of interactive chart and list based statistics. The dashboard provides detailed insight into the scanned web applications.

Note: The term asset used henceforth in this document implies the web site that you are scanning.