Fortinet black logo

User Guide

Known Attacks

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:552829
Download PDF

Known Attacks

FortiWeb Cloud defends against attacks in OWASP Top 10 such as Cross-site scripting (XSS), SQL Injection, Generic Attacks, Known Exploits, and Trojans, etc using continuously updated signatures. FortiWeb Cloud parses messages in the packet, compares them with the signatures, and takes specified actions on the packets.

To configure attacks to defend

  1. Go to SECURITY RULES > Known Attacks.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. For Signature Based Detection, you can use attack signatures to detect application layer attacks that try to exploit a known web vulnerability.
    Configure these settings.

    Sensitivity Level

    Choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level.

    Increasing the level adds additional signatures but also adds the chance of blocking legitimate traffic. We recommend to use the different level according to the following rules:

    Level 1: Baseline security with the least false positives. Use it if you are running an HTTP server on the internet.

    Level 2: This level is adequate when real user data like user name and password is involved. Perhaps an off-the-shelf online shop.

    Level 3: The online banking level security with lots of false positives, so it’s important to learn how to write rule exclusions.

    Level 4: Rules that are so strong that they’re adequate to protect the top confidential data. Be sure you have enough time to process the false positives. Please expect that with this amount of false positives, user experience might be greatly compromised.

    Notes: This setting also applies to the Server Information Disclosure and Personally Identifiable Information options in Information Leakage.

    Cross Site Scripting

    Enable to prevent a variety of cross-site scripting (XSS) attacks, such as varieties of CSRF (cross-site request forgery).

    SQL Injection

    Enable to prevent SQL injection attacks, such as blind SQL injection.

    Generic Attacks

    Enable to prevent other common attacks, including a variety of injection threats that do not use SQL, such as local file inclusion (LFI) and remote file inclusion (RFI).

    Known Exploits

    Enable to prevent known exploits.

    Trojans

    Enable to prevent malware attacks and prevent accessing Webshell located on server.

    If you want to view the details of a specific signature, click Search Signature to find it by CVE number, Keywords, Attack Category, or signature ID.

  3. Click +Create Exception Rule under Signature Based Detection section to omit attack signature scans when you know that some parameters or URLs cause false positives by matching an attack signature during normal use.
  4. Request URL

    Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

    • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
    • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Do not include a domain name because it's by default the domain name of this application.

    Parameter Name

    Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

    Cookie Name

    Specify a cookie name to match. Both String Match and Regular Expression Match are supported.

    JSON Elements

    Specify the name of the JSON element to match. Both String Match and Regular Expression Match are supported.

    Attack Category

    Select an attack category in which you want to create an exception for its attacks therein.

    Signature ID

    The ID for the signature applied to the attack.

    Signature Information

    Signature description and examples are listed here. You can select any signature ID for the attack and view the signature details.

  5. In addition to Signature Based Detection, FortiWeb Cloud also supports Syntax Based Detection for SQL injection or Cross Site Scripting (XSS).
    1. In SQL Syntax Based Detection, enable the options to detect the corresponding SQL injection types. FortiWeb Cloud uses an SQL parser to validate whether the pattern is real SQL language. It helps identify true attacks while minimizing false positives.
      The syntax-based detection detects an SQL injection attack by analyzing the lexeme and syntax of SQL language rather than using a pattern matching mechanism as the signature-based detection does.
    2. In XSS Syntax Based Detection, enable the option to detect the corresponding XSS attack types. FortiWeb Cloud detects an XSS injection attack by analyzing the HTML/JavaScript syntax.
      It does HTML document parsing and JavaScript compiling, and checks whether the compiled results include valid HTML and JavaScript codes.
  6. Click +Create Exception Rule to omit Syntax Based attack scans when you know that some parameters or URLs may trigger Syntax Based Detection false positives during normal use.

    Request URL

    Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

    • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
    • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Do not include a domain name because it's by default the domain name of this application.

    Parameter Name

    Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

    Cookie Name

    Specify a cookie name to match. Both String Match and Regular Expression Match are supported.

    Attack Category

    Select an attack category in which you want to create an exception for its attacks therein.

    Attack Name

    Select the attack name.

    • Stacked queries SQL injection: The snippet of this attack can be something like "1; delete from users".

    • Embedded queries: The snippet of this attack can be something like "1 union select username, password from users
      1 /*! ; drop table admin */ ".

    note icon

    For Request URL and Parameter Name, you shall enable at least one. The request matching the specified URL and/or parameter in exception rule would not be treated as an attack.

  7. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate a log message.

    Alert & Deny

    Block the request (or reset the connection) and generate a log message.

    Deny(no log)

    Block the request (or reset the connection) but do not generate log messages.

  8. Click SAVE.

Known Attacks

FortiWeb Cloud defends against attacks in OWASP Top 10 such as Cross-site scripting (XSS), SQL Injection, Generic Attacks, Known Exploits, and Trojans, etc using continuously updated signatures. FortiWeb Cloud parses messages in the packet, compares them with the signatures, and takes specified actions on the packets.

To configure attacks to defend

  1. Go to SECURITY RULES > Known Attacks.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. For Signature Based Detection, you can use attack signatures to detect application layer attacks that try to exploit a known web vulnerability.
    Configure these settings.

    Sensitivity Level

    Choose from four categories of attack signatures (L1 to L4) based on their sensitivity to false positives and their requirement for a higher security level.

    Increasing the level adds additional signatures but also adds the chance of blocking legitimate traffic. We recommend to use the different level according to the following rules:

    Level 1: Baseline security with the least false positives. Use it if you are running an HTTP server on the internet.

    Level 2: This level is adequate when real user data like user name and password is involved. Perhaps an off-the-shelf online shop.

    Level 3: The online banking level security with lots of false positives, so it’s important to learn how to write rule exclusions.

    Level 4: Rules that are so strong that they’re adequate to protect the top confidential data. Be sure you have enough time to process the false positives. Please expect that with this amount of false positives, user experience might be greatly compromised.

    Notes: This setting also applies to the Server Information Disclosure and Personally Identifiable Information options in Information Leakage.

    Cross Site Scripting

    Enable to prevent a variety of cross-site scripting (XSS) attacks, such as varieties of CSRF (cross-site request forgery).

    SQL Injection

    Enable to prevent SQL injection attacks, such as blind SQL injection.

    Generic Attacks

    Enable to prevent other common attacks, including a variety of injection threats that do not use SQL, such as local file inclusion (LFI) and remote file inclusion (RFI).

    Known Exploits

    Enable to prevent known exploits.

    Trojans

    Enable to prevent malware attacks and prevent accessing Webshell located on server.

    If you want to view the details of a specific signature, click Search Signature to find it by CVE number, Keywords, Attack Category, or signature ID.

  3. Click +Create Exception Rule under Signature Based Detection section to omit attack signature scans when you know that some parameters or URLs cause false positives by matching an attack signature during normal use.
  4. Request URL

    Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

    • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
    • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Do not include a domain name because it's by default the domain name of this application.

    Parameter Name

    Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

    Cookie Name

    Specify a cookie name to match. Both String Match and Regular Expression Match are supported.

    JSON Elements

    Specify the name of the JSON element to match. Both String Match and Regular Expression Match are supported.

    Attack Category

    Select an attack category in which you want to create an exception for its attacks therein.

    Signature ID

    The ID for the signature applied to the attack.

    Signature Information

    Signature description and examples are listed here. You can select any signature ID for the attack and view the signature details.

  5. In addition to Signature Based Detection, FortiWeb Cloud also supports Syntax Based Detection for SQL injection or Cross Site Scripting (XSS).
    1. In SQL Syntax Based Detection, enable the options to detect the corresponding SQL injection types. FortiWeb Cloud uses an SQL parser to validate whether the pattern is real SQL language. It helps identify true attacks while minimizing false positives.
      The syntax-based detection detects an SQL injection attack by analyzing the lexeme and syntax of SQL language rather than using a pattern matching mechanism as the signature-based detection does.
    2. In XSS Syntax Based Detection, enable the option to detect the corresponding XSS attack types. FortiWeb Cloud detects an XSS injection attack by analyzing the HTML/JavaScript syntax.
      It does HTML document parsing and JavaScript compiling, and checks whether the compiled results include valid HTML and JavaScript codes.
  6. Click +Create Exception Rule to omit Syntax Based attack scans when you know that some parameters or URLs may trigger Syntax Based Detection false positives during normal use.

    Request URL

    Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

    • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
    • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Do not include a domain name because it's by default the domain name of this application.

    Parameter Name

    Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

    Cookie Name

    Specify a cookie name to match. Both String Match and Regular Expression Match are supported.

    Attack Category

    Select an attack category in which you want to create an exception for its attacks therein.

    Attack Name

    Select the attack name.

    • Stacked queries SQL injection: The snippet of this attack can be something like "1; delete from users".

    • Embedded queries: The snippet of this attack can be something like "1 union select username, password from users
      1 /*! ; drop table admin */ ".

    note icon

    For Request URL and Parameter Name, you shall enable at least one. The request matching the specified URL and/or parameter in exception rule would not be treated as an attack.

  7. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate a log message.

    Alert & Deny

    Block the request (or reset the connection) and generate a log message.

    Deny(no log)

    Block the request (or reset the connection) but do not generate log messages.

  8. Click SAVE.