Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Known Attacks

FortiWeb Cloud defends against attacks in OWASP Top 10 such as Cross-site scripting (XSS), SQL Injection, Generic Attacks, Known Exploits, and Trojans, etc using continuously updated signatures. FortiWeb Cloud parses messages in the packet, compares them with the signatures, and takes specified actions on the packets.

To configure attacks to defend

  1. Go to SECURITY RULES > Known Attacks.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. For Signature Based Detection, you can use attack signatures to detect application layer attacks that try to exploit a known web vulnerability.
    Configure these settings.

    Cross Site Scripting

    Enable to prevent a variety of cross-site scripting (XSS) attacks, such as varieties of CSRF (cross-site request forgery).

    SQL Injection

    Enable to prevent SQL injection attacks, such as blind SQL injection.

    Generic Attacks

    Enable to prevent other common attacks, including a variety of injection threats that do not use SQL, such as local file inclusion (LFI) and remote file inclusion (RFI).

    Known Exploits

    Enable to prevent known exploits.

    Trojans

    Enable to prevent malware attacks and prevent accessing Webshell located on server.

  3. Click +Create Exception Rule under Signature Based Detection section to omit attack signature scans when you know that some parameters or URLs cause false positives by matching an attack signature during normal use.
  4. Request URL

    Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

    • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
    • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Do not include a domain name because it's by default the domain name of this application.

    Parameter Name

    Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

    Attack Category

    Select an attack category in which you want to create an exception for its attacks therein.

    Signature ID

    The ID for the signature applied to the attack.

    Signature Information

    Signature description and examples are listed here. You can select any signature ID for the attack and view the signature details.

  5. In addition to Signature Based Detection, FortiWeb Cloud also supports Syntax Based Detection for SQL injection or Cross Site Scripting (XSS).
    1. In SQL Syntax Based Detection, enable the options to detect the corresponding SQL injection types. FortiWeb Cloud uses an SQL parser to validate whether the pattern is real SQL language. It helps identify true attacks while minimizing false positives.
      The syntax-based detection detects an SQL injection attack by analyzing the lexeme and syntax of SQL language rather than using a pattern matching mechanism as the signature-based detection does.
    2. In XSS Syntax Based Detection, enable the option to detect the corresponding XSS attack types. FortiWeb Cloud detects an XSS injection attack by analyzing the HTML/JavaScript syntax.
      It does HTML document parsing and JavaScript compiling, and checks whether the compiled results include valid HTML and JavaScript codes.
  6. Click +Create Exception Rule to omit Syntax Based attack scans when you know that some parameters or URLs may trigger Syntax Based Detection false positives during normal use.

    Request URL

    Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

    • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
    • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Do not include a domain name because it's by default the domain name of this application.

    Parameter Name

    Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

    Attack Category

    Select an attack category in which you want to create an exception for its attacks therein.

    Attack Name

    Select the attack name.

    • Stacked queries SQL injection: The snippet of this attack can be something like "1; delete from users".

    • Embedded queries: The snippet of this attack can be something like "1 union select username, password from users
      1 /*! ; drop table admin */ ".

    note icon

    For Request URL and Parameter Name, you shall enable at least one. The request matching the specified URL and/or parameter in exception rule would not be treated as an attack.

  7. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    Alert

    Accept the request and generate a log message.

    Alert & Deny

    Block the request (or reset the connection) and generate a log message.

    Deny(no log)

    Block the request (or reset the connection) but do not generate log messages.

  8. Click SAVE.

Known Attacks

FortiWeb Cloud defends against attacks in OWASP Top 10 such as Cross-site scripting (XSS), SQL Injection, Generic Attacks, Known Exploits, and Trojans, etc using continuously updated signatures. FortiWeb Cloud parses messages in the packet, compares them with the signatures, and takes specified actions on the packets.

To configure attacks to defend

  1. Go to SECURITY RULES > Known Attacks.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. For Signature Based Detection, you can use attack signatures to detect application layer attacks that try to exploit a known web vulnerability.
    Configure these settings.

    Cross Site Scripting

    Enable to prevent a variety of cross-site scripting (XSS) attacks, such as varieties of CSRF (cross-site request forgery).

    SQL Injection

    Enable to prevent SQL injection attacks, such as blind SQL injection.

    Generic Attacks

    Enable to prevent other common attacks, including a variety of injection threats that do not use SQL, such as local file inclusion (LFI) and remote file inclusion (RFI).

    Known Exploits

    Enable to prevent known exploits.

    Trojans

    Enable to prevent malware attacks and prevent accessing Webshell located on server.

  3. Click +Create Exception Rule under Signature Based Detection section to omit attack signature scans when you know that some parameters or URLs cause false positives by matching an attack signature during normal use.
  4. Request URL

    Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

    • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
    • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Do not include a domain name because it's by default the domain name of this application.

    Parameter Name

    Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

    Attack Category

    Select an attack category in which you want to create an exception for its attacks therein.

    Signature ID

    The ID for the signature applied to the attack.

    Signature Information

    Signature description and examples are listed here. You can select any signature ID for the attack and view the signature details.

  5. In addition to Signature Based Detection, FortiWeb Cloud also supports Syntax Based Detection for SQL injection or Cross Site Scripting (XSS).
    1. In SQL Syntax Based Detection, enable the options to detect the corresponding SQL injection types. FortiWeb Cloud uses an SQL parser to validate whether the pattern is real SQL language. It helps identify true attacks while minimizing false positives.
      The syntax-based detection detects an SQL injection attack by analyzing the lexeme and syntax of SQL language rather than using a pattern matching mechanism as the signature-based detection does.
    2. In XSS Syntax Based Detection, enable the option to detect the corresponding XSS attack types. FortiWeb Cloud detects an XSS injection attack by analyzing the HTML/JavaScript syntax.
      It does HTML document parsing and JavaScript compiling, and checks whether the compiled results include valid HTML and JavaScript codes.
  6. Click +Create Exception Rule to omit Syntax Based attack scans when you know that some parameters or URLs may trigger Syntax Based Detection false positives during normal use.

    Request URL

    Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

    • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
    • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Do not include a domain name because it's by default the domain name of this application.

    Parameter Name

    Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

    Attack Category

    Select an attack category in which you want to create an exception for its attacks therein.

    Attack Name

    Select the attack name.

    • Stacked queries SQL injection: The snippet of this attack can be something like "1; delete from users".

    • Embedded queries: The snippet of this attack can be something like "1 union select username, password from users
      1 /*! ; drop table admin */ ".

    note icon

    For Request URL and Parameter Name, you shall enable at least one. The request matching the specified URL and/or parameter in exception rule would not be treated as an attack.

  7. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    Alert

    Accept the request and generate a log message.

    Alert & Deny

    Block the request (or reset the connection) and generate a log message.

    Deny(no log)

    Block the request (or reset the connection) but do not generate log messages.

  8. Click SAVE.