Fortinet black logo

CLI Reference

wvs profile

wvs profile

Use this command to configure web vulnerability scan profiles.

A web vulnerability scan (WVS) profile defines the web server to scan, as well as the specific vulnerabilities to scan for. The WVS profiles are associated with WVS policies, which determine when to perform the scan and how to publish the results of the scan defined by the profile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wvsgrp area. For details, see Permissions.

Syntax

config wvs profile

edit "<wvs_profile_name>"

set scan-target <scan-target_str>

set scan-template <scan-template_id>

set request-timeout <request-timeout_int>

set ignore-session-cookies {enable | disable}

set user-agent-type {custom | random}

set custom-user-agent <custom-user-agent_str>

set custom-header0 <custom-header0_str>

set custom-header1 <custom-header1_str>

set custom-header2 <custom-header2_str>

set custom-header3 <custom-header3_str>

set custom-header4 <custom-header4_str>

set custom-header5 <custom-header5_str>

set custom-header6 <custom-header6_str>

set custom-header7 <custom-header7_str>

set custom-header8 <custom-header8_str>

set custom-header9 <custom-header9_str>

set sub-path-limit <sub-path-limit_int>

set max-scan-time <max-scan-time_int>

set max-crawl-time <max-crawl-time_int>

set max-params-limit <max-params-limit_int>

set max-file-size <max-file-size_int>

set max-http-retries <max-http-retries_int>

set specify-urls-for-scanning {enable | disable}

set follow-regex <follow-regex_int>

set ignore-regex <ignore-regex_int>

set http-basic-authentication {enable | disable}

set basic-username <basic-username_str>

set basic-password <basic-password_str>

set form-based-authentication {enable | disable}

set form-based-username <form-based-username_str>

set form-based-password <form-based-password_str>

set form-based-auth-url <form-based-auth-url_str>

set username-field <username-field_str>

set password-field <password-field_str>

set cookie-jar-file <cookie-jar-file_str>

set session-check-url <session-check-url_str>

set session-check-str <session-check-url_str>

set data-format <data-format_str>

end

Variable Description Default

"<wvs_profile_name>"

Type a unique name for the profile name. The maximum length is 63 characters.

No default.

scan-target <scan-target_str>

Enter the URL that you want to scan, such as www.mytestwvs.com.

No default.

scan-template <scan-template_id>

Select an existing scan template that you want to use in the profile.

No default.

request-timeout <request-timeout_int>

Type the number of seconds for the vulnerability scanner to wait for a response from the website before it assumes that the request will not successfully complete, and continues with the next request in the scan. It will not retry timeout requests.

0

ignore-session-cookies {enable | disable}

If enabled, the scanner will ignore all session cookies sent by the target web application.

disable

user-agent-type {custom | random}

Custom: when there is no user-agent in custom headers, the actual user-agent sent is FortiWeb WVS; when user-agent is set in custom headers, the actual user-agent sent is the value set in custom-user-agent <custom-user-agent_str>.
random: When the user-agent-type is random, and there is no user-agent in custom headers, the actual user-agent sent is random; when user-agent is set in custom headers, the actual user-agent sent is random.

custom

custom-user-agent <custom-user-agent_str>

Enter the custom user-agent value.

No default.

custom-header0 <custom-header0_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header1 <custom-header1_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header2 <custom-header2_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header3 <custom-header3_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header4 <custom-header4_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header5 <custom-header5_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header6 <custom-header6_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header7 <custom-header7_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header8 <custom-header8_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header9 <custom-header9_str>

You can define the host, user agent, and other common headers in the request.

No default.

sub-path-limit <sub-path-limit_int>

Enter the maximum number of requests for sub path of each URL.

75

max-scan-time <max-scan-time_int>

Enter the maximum scanning time.

120

max-crawl-time <max-crawl-time_int>

Enter the maximum crawling time (minutes).

60

max-params-limit <max-params-limit_int>

Enter the maximum number of requests for each URL, and parameter set.

25

max-file-size <max-file-size_int>

Indicate the maximum file size (in bytes) that the scanner will retrieve from the remote server.

400,000

max-http-retries <max-http-retries_int>

Indicate the maximum number of retries when requesting an URL. The valid value range is 1–10.

2

specify-urls-for-scanning {enable | disable}

Enable to specify the URL to be scanned.

disable

follow-regex <follow-regex_int>

follow-regex is .*. When crawling, do not follow links that match this regular expression.

No default.

ignore-regex <ignore-regex_int>

An empty string (nothing to be ignored), when crawling, only follow that matches this regular expression. ignore-regex has precedence over follow-regex.

No default.

http-basic-authentication {enable | disable}

Enable the HTTP basic authentication.

disable

basic-username <basic-username_str>

Enter the username of the web application.

No default.

basic-password <basic-password_str>

Enter the password for the username.

No default.

form-based-authentication {enable | disable}

Enable the form based authentication.

disable

form-based-username <form-based-username_str>

The username parameter name, for example, "uname" if the HTML looks like <input type="text" name="uname">...

No default.

form-based-password <form-based-password_str>

The password parameter name, for example, "pwd" if the HTML looks like <input type="password" name="pwd">...

No default.

form-based-auth-url <form-based-auth-url_str>

Enter the target URL for security auditing, and the URL shall include http or https tag.

No default.

username-field <username-field_str>

Enter the username for using in the authentication process.

No default.

password-field <password-field_str>

Enter the password for the username.

No default.

cookie-jar-file <cookie-jar-file_str>

Designate a cookie jar file. The cookie jar file must be in mozilla format.

No default.

session-check-url <session-check-url_str>

Enter the URL where the packets are sent to.

No default.

session-check-str <session-check-url_str>

Enter the string in the response message. If the string can be checked, the authentication succeeds; otherwise, the authentication will be re-launched.

No default.

data-format <data-format_str>

Add extra parameters here for authentication as required by some websites, for example, %u=%U&%p=%P&security_level- 0&form-submit. The default value %u=%U&%p=%P includes the values for Username Field and Password Field.

No default.

Related topics

wvs profile

Use this command to configure web vulnerability scan profiles.

A web vulnerability scan (WVS) profile defines the web server to scan, as well as the specific vulnerabilities to scan for. The WVS profiles are associated with WVS policies, which determine when to perform the scan and how to publish the results of the scan defined by the profile.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wvsgrp area. For details, see Permissions.

Syntax

config wvs profile

edit "<wvs_profile_name>"

set scan-target <scan-target_str>

set scan-template <scan-template_id>

set request-timeout <request-timeout_int>

set ignore-session-cookies {enable | disable}

set user-agent-type {custom | random}

set custom-user-agent <custom-user-agent_str>

set custom-header0 <custom-header0_str>

set custom-header1 <custom-header1_str>

set custom-header2 <custom-header2_str>

set custom-header3 <custom-header3_str>

set custom-header4 <custom-header4_str>

set custom-header5 <custom-header5_str>

set custom-header6 <custom-header6_str>

set custom-header7 <custom-header7_str>

set custom-header8 <custom-header8_str>

set custom-header9 <custom-header9_str>

set sub-path-limit <sub-path-limit_int>

set max-scan-time <max-scan-time_int>

set max-crawl-time <max-crawl-time_int>

set max-params-limit <max-params-limit_int>

set max-file-size <max-file-size_int>

set max-http-retries <max-http-retries_int>

set specify-urls-for-scanning {enable | disable}

set follow-regex <follow-regex_int>

set ignore-regex <ignore-regex_int>

set http-basic-authentication {enable | disable}

set basic-username <basic-username_str>

set basic-password <basic-password_str>

set form-based-authentication {enable | disable}

set form-based-username <form-based-username_str>

set form-based-password <form-based-password_str>

set form-based-auth-url <form-based-auth-url_str>

set username-field <username-field_str>

set password-field <password-field_str>

set cookie-jar-file <cookie-jar-file_str>

set session-check-url <session-check-url_str>

set session-check-str <session-check-url_str>

set data-format <data-format_str>

end

Variable Description Default

"<wvs_profile_name>"

Type a unique name for the profile name. The maximum length is 63 characters.

No default.

scan-target <scan-target_str>

Enter the URL that you want to scan, such as www.mytestwvs.com.

No default.

scan-template <scan-template_id>

Select an existing scan template that you want to use in the profile.

No default.

request-timeout <request-timeout_int>

Type the number of seconds for the vulnerability scanner to wait for a response from the website before it assumes that the request will not successfully complete, and continues with the next request in the scan. It will not retry timeout requests.

0

ignore-session-cookies {enable | disable}

If enabled, the scanner will ignore all session cookies sent by the target web application.

disable

user-agent-type {custom | random}

Custom: when there is no user-agent in custom headers, the actual user-agent sent is FortiWeb WVS; when user-agent is set in custom headers, the actual user-agent sent is the value set in custom-user-agent <custom-user-agent_str>.
random: When the user-agent-type is random, and there is no user-agent in custom headers, the actual user-agent sent is random; when user-agent is set in custom headers, the actual user-agent sent is random.

custom

custom-user-agent <custom-user-agent_str>

Enter the custom user-agent value.

No default.

custom-header0 <custom-header0_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header1 <custom-header1_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header2 <custom-header2_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header3 <custom-header3_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header4 <custom-header4_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header5 <custom-header5_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header6 <custom-header6_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header7 <custom-header7_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header8 <custom-header8_str>

You can define the host, user agent, and other common headers in the request.

No default.

custom-header9 <custom-header9_str>

You can define the host, user agent, and other common headers in the request.

No default.

sub-path-limit <sub-path-limit_int>

Enter the maximum number of requests for sub path of each URL.

75

max-scan-time <max-scan-time_int>

Enter the maximum scanning time.

120

max-crawl-time <max-crawl-time_int>

Enter the maximum crawling time (minutes).

60

max-params-limit <max-params-limit_int>

Enter the maximum number of requests for each URL, and parameter set.

25

max-file-size <max-file-size_int>

Indicate the maximum file size (in bytes) that the scanner will retrieve from the remote server.

400,000

max-http-retries <max-http-retries_int>

Indicate the maximum number of retries when requesting an URL. The valid value range is 1–10.

2

specify-urls-for-scanning {enable | disable}

Enable to specify the URL to be scanned.

disable

follow-regex <follow-regex_int>

follow-regex is .*. When crawling, do not follow links that match this regular expression.

No default.

ignore-regex <ignore-regex_int>

An empty string (nothing to be ignored), when crawling, only follow that matches this regular expression. ignore-regex has precedence over follow-regex.

No default.

http-basic-authentication {enable | disable}

Enable the HTTP basic authentication.

disable

basic-username <basic-username_str>

Enter the username of the web application.

No default.

basic-password <basic-password_str>

Enter the password for the username.

No default.

form-based-authentication {enable | disable}

Enable the form based authentication.

disable

form-based-username <form-based-username_str>

The username parameter name, for example, "uname" if the HTML looks like <input type="text" name="uname">...

No default.

form-based-password <form-based-password_str>

The password parameter name, for example, "pwd" if the HTML looks like <input type="password" name="pwd">...

No default.

form-based-auth-url <form-based-auth-url_str>

Enter the target URL for security auditing, and the URL shall include http or https tag.

No default.

username-field <username-field_str>

Enter the username for using in the authentication process.

No default.

password-field <password-field_str>

Enter the password for the username.

No default.

cookie-jar-file <cookie-jar-file_str>

Designate a cookie jar file. The cookie jar file must be in mozilla format.

No default.

session-check-url <session-check-url_str>

Enter the URL where the packets are sent to.

No default.

session-check-str <session-check-url_str>

Enter the string in the response message. If the string can be checked, the authentication succeeds; otherwise, the authentication will be re-launched.

No default.

data-format <data-format_str>

Add extra parameters here for authentication as required by some websites, for example, %u=%U&%p=%P&security_level- 0&form-submit. The default value %u=%U&%p=%P includes the values for Username Field and Password Field.

No default.

Related topics