Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.0 Administration Guide
    8.0.0
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    CMD Syntax-Based Detection for Command Injection (8.0.0)

    CMD Syntax-Based Detection for Command Injection (8.0.0)

    FortiWeb 8.0.0 expands its syntax-based detection capabilities with CMD Syntax Based Detection, a powerful new method for identifying command injection (CMDi) attacks that use shell commands such as ls, cat, or curl.

    Unlike traditional signature-based methods—which rely on pattern matching alone—syntax-based detection evaluates the structure and intent of shell commands. This allows FortiWeb to accurately detect obfuscated or multi-stage payloads that would otherwise evade conventional defenses, while also reducing false positives caused by benign keyword usage.

    How It Differs from Other Syntax-Based Detection

    FortiWeb already supports syntax-based detection for SQL Injection and Cross-Site Scripting (XSS). These engines are optimized for identifying malicious use of structured query language or JavaScript within request payloads.

    CMD Syntax Based Detection, in contrast, is tailored for shell command execution attempts. It focuses on detecting the misuse of command-line utilities and shell syntax—such as:

    • Command chaining (;, &&, ||)

    • Variable substitution ($cmd, $(...))

    • Obfuscation through quotes, concatenation, or escape sequences

    Why This Matters

    Attackers increasingly use sophisticated obfuscation to hide command injection attempts, for example:

    • Splitting commands into character fragments: 'c''a''t'

    • Encoding payloads or using dynamic assignment: cmd=il;k${cmd}l 888

    • Injecting command substitution within other expressions: `id` or $(whoami)

    CMD Syntax Based Detection helps security teams identify these evasive techniques and enforce stronger protections against remote command execution.

    Limitations

    CMD Syntax Based Detection in this version focuses solely on detecting shell command expressions. The following limitations apply:

    • Command arguments are not analyzed. Only the shell command itself (e.g., ls, cat, curl) is detected. Arguments passed to these commands (e.g., file paths or options) are not included in the detection logic.

      Example: 'c''a''t' /etc/pa''ss''wd — FortiWeb detects the obfuscated cat command, but not the /etc/passwd argument.

    • Full shell scripts and complex control flows are not supported. Detection does not extend to constructs such as if, for, or while statements.

    • Non-shell scripting languages are excluded. This includes interpreted languages like Python, PHP, and Node.js.

    Previous
    Next

    CMD Syntax-Based Detection for Command Injection (8.0.0)

    CMD Syntax-Based Detection for Command Injection (8.0.0)

    FortiWeb 8.0.0 expands its syntax-based detection capabilities with CMD Syntax Based Detection, a powerful new method for identifying command injection (CMDi) attacks that use shell commands such as ls, cat, or curl.

    Unlike traditional signature-based methods—which rely on pattern matching alone—syntax-based detection evaluates the structure and intent of shell commands. This allows FortiWeb to accurately detect obfuscated or multi-stage payloads that would otherwise evade conventional defenses, while also reducing false positives caused by benign keyword usage.

    How It Differs from Other Syntax-Based Detection

    FortiWeb already supports syntax-based detection for SQL Injection and Cross-Site Scripting (XSS). These engines are optimized for identifying malicious use of structured query language or JavaScript within request payloads.

    CMD Syntax Based Detection, in contrast, is tailored for shell command execution attempts. It focuses on detecting the misuse of command-line utilities and shell syntax—such as:

    • Command chaining (;, &&, ||)

    • Variable substitution ($cmd, $(...))

    • Obfuscation through quotes, concatenation, or escape sequences

    Why This Matters

    Attackers increasingly use sophisticated obfuscation to hide command injection attempts, for example:

    • Splitting commands into character fragments: 'c''a''t'

    • Encoding payloads or using dynamic assignment: cmd=il;k${cmd}l 888

    • Injecting command substitution within other expressions: `id` or $(whoami)

    CMD Syntax Based Detection helps security teams identify these evasive techniques and enforce stronger protections against remote command execution.

    Limitations

    CMD Syntax Based Detection in this version focuses solely on detecting shell command expressions. The following limitations apply:

    • Command arguments are not analyzed. Only the shell command itself (e.g., ls, cat, curl) is detected. Arguments passed to these commands (e.g., file paths or options) are not included in the detection logic.

      Example: 'c''a''t' /etc/pa''ss''wd — FortiWeb detects the obfuscated cat command, but not the /etc/passwd argument.

    • Full shell scripts and complex control flows are not supported. Detection does not extend to constructs such as if, for, or while statements.

    • Non-shell scripting languages are excluded. This includes interpreted languages like Python, PHP, and Node.js.

    Previous
    Next