Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.4
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.4 Administration Guide
    8.0.4
    8.0.5
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    WAF solutions against OWASP Top 10 risks

    WAF solutions against OWASP Top 10 risks

    OWASP Top 10 risks is one of OWASP’s most well-known projects, highlighting the top ten most critical security risks to web applications. Updated periodically, it serves as a standard reference for developers and security professionals worldwide to prioritize their efforts in securing applications. The list includes common vulnerabilities like Injection (e.g., SQL, NoSQL), Broken Authentication, and Cross-Site Scripting (XSS).

    FortiWeb provides comprehensive security solutions to mitigate OWASP Top 10 risks to help organizations proactively defend against threats.

    • Broken Access Control

    Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities.

    Data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.

    For FortiWeb's solutions against this risk, see Broken Access Control.

    • Cryptographic Failures

    As known as Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.

    For FortiWeb's solutions against this risk, see Cryptographic Failures.

    • Injection

    Injection is an attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter. For example, the most common example is SQL injection, where an attacker sends “101 OR 1=1” instead of just “101”.

    94% of the applications were tested for some form of injection.

    For FortiWeb's solutions against this risk, see Injection.

    • Insecure Design

    It is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to "move left" as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as needed security controls were never created to defend against specific attacks.

    A web application firewall (WAF) like FortiWeb plays a limited role in protecting against "Insecure Design". This requires you to integrate security into the early stages of software development, including threat modeling, secure design patterns, and the creation of robust security controls. Since a WAF can only mitigate some consequences of insecure design rather than the root cause, this guide will not discuss this risk in detail.

    • Security Misconfiguration

    Security misconfiguration is the most commonly seen issue. This can happen at any level of an application stack, including network services, platforms, web servers, database servers, and custom code. Regularly updating and patching systems, along with thorough configuration of a web application firewall, can mitigate such vulnerabilities.

    FortiWeb provides several features specifically designed to mitigate the risks associated with Security Misconfiguration, offering an additional layer of defense when server or application configurations are incomplete or insecure.

    For FortiWeb's solutions against this risk, see Secure Misconfiguration.

    • Vulnerable and Outdated Components

    Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Application security best practices, including regular scanning for vulnerabilities and patching, are critical here.

    FortiWeb provides a Vulnerability Scanning feature that helps identify known vulnerabilities in your web servers and web applications. This feature is essential for detecting and addressing issues related to Vulnerable and Outdated Components, one of the OWASP Top 10 security risks. By performing regular scans, FortiWeb helps ensure that your web applications remain secure and compliant with industry standards.

    For FortiWeb's solutions against this risk, see Vulnerable and Outdated Components.

    • Identification and Authentication Failures

    Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users’ data, and changing access rights.

    FortiWeb addresses the Identification and Authentication Failures by offering features that enforce strong authentication mechanisms, protect user sessions, and validate user identities.

    For FortiWeb's solutions against this risk, see Identification and Authentication Failures.

    • Software and Data Integrity Failures

    It is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.

    Since these failures are primarily server-side issues, FortiWeb cannot directly prevent them. Organizations should implement code-signing, integrity checks, and secure CI/CD practices to fully address this issue.

    • Security Logging and Monitoring Failures

    Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

    FortiWeb provides robust features to address Security Logging and Monitoring Failures, ensuring that web applications have comprehensive logging and monitoring mechanisms in place. These features help detect and respond to potential security incidents promptly, reducing the risk of attackers going unnoticed while they exploit vulnerabilities, maintain persistence, or tamper with data.

    For FortiWeb's solutions against this risk, see Security Logging and Monitoring Failures.

    • Server-Side Request Forgery

    SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

    As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.

    FortiWeb offers specific features to protect against Server-Side Request Forgery (SSRF) by detecting and blocking malicious server-side requests and sanitizing user inputs to prevent the injection of dangerous payloads. These measures help prevent attackers from exploiting SSRF vulnerabilities to access unauthorized internal or external resources.

    For FortiWeb's solutions against this risk, see Server-Side Request Forgery.

    Previous
    Next

    WAF solutions against OWASP Top 10 risks

    WAF solutions against OWASP Top 10 risks

    OWASP Top 10 risks is one of OWASP’s most well-known projects, highlighting the top ten most critical security risks to web applications. Updated periodically, it serves as a standard reference for developers and security professionals worldwide to prioritize their efforts in securing applications. The list includes common vulnerabilities like Injection (e.g., SQL, NoSQL), Broken Authentication, and Cross-Site Scripting (XSS).

    FortiWeb provides comprehensive security solutions to mitigate OWASP Top 10 risks to help organizations proactively defend against threats.

    • Broken Access Control

    Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities.

    Data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.

    For FortiWeb's solutions against this risk, see Broken Access Control.

    • Cryptographic Failures

    As known as Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.

    For FortiWeb's solutions against this risk, see Cryptographic Failures.

    • Injection

    Injection is an attacker's attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter. For example, the most common example is SQL injection, where an attacker sends “101 OR 1=1” instead of just “101”.

    94% of the applications were tested for some form of injection.

    For FortiWeb's solutions against this risk, see Injection.

    • Insecure Design

    It is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to "move left" as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as needed security controls were never created to defend against specific attacks.

    A web application firewall (WAF) like FortiWeb plays a limited role in protecting against "Insecure Design". This requires you to integrate security into the early stages of software development, including threat modeling, secure design patterns, and the creation of robust security controls. Since a WAF can only mitigate some consequences of insecure design rather than the root cause, this guide will not discuss this risk in detail.

    • Security Misconfiguration

    Security misconfiguration is the most commonly seen issue. This can happen at any level of an application stack, including network services, platforms, web servers, database servers, and custom code. Regularly updating and patching systems, along with thorough configuration of a web application firewall, can mitigate such vulnerabilities.

    FortiWeb provides several features specifically designed to mitigate the risks associated with Security Misconfiguration, offering an additional layer of defense when server or application configurations are incomplete or insecure.

    For FortiWeb's solutions against this risk, see Secure Misconfiguration.

    • Vulnerable and Outdated Components

    Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Application security best practices, including regular scanning for vulnerabilities and patching, are critical here.

    FortiWeb provides a Vulnerability Scanning feature that helps identify known vulnerabilities in your web servers and web applications. This feature is essential for detecting and addressing issues related to Vulnerable and Outdated Components, one of the OWASP Top 10 security risks. By performing regular scans, FortiWeb helps ensure that your web applications remain secure and compliant with industry standards.

    For FortiWeb's solutions against this risk, see Vulnerable and Outdated Components.

    • Identification and Authentication Failures

    Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users’ data, and changing access rights.

    FortiWeb addresses the Identification and Authentication Failures by offering features that enforce strong authentication mechanisms, protect user sessions, and validate user identities.

    For FortiWeb's solutions against this risk, see Identification and Authentication Failures.

    • Software and Data Integrity Failures

    It is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.

    Since these failures are primarily server-side issues, FortiWeb cannot directly prevent them. Organizations should implement code-signing, integrity checks, and secure CI/CD practices to fully address this issue.

    • Security Logging and Monitoring Failures

    Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

    FortiWeb provides robust features to address Security Logging and Monitoring Failures, ensuring that web applications have comprehensive logging and monitoring mechanisms in place. These features help detect and respond to potential security incidents promptly, reducing the risk of attackers going unnoticed while they exploit vulnerabilities, maintain persistence, or tamper with data.

    For FortiWeb's solutions against this risk, see Security Logging and Monitoring Failures.

    • Server-Side Request Forgery

    SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).

    As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.

    FortiWeb offers specific features to protect against Server-Side Request Forgery (SSRF) by detecting and blocking malicious server-side requests and sanitizing user inputs to prevent the injection of dangerous payloads. These measures help prevent attackers from exploiting SSRF vulnerabilities to access unauthorized internal or external resources.

    For FortiWeb's solutions against this risk, see Server-Side Request Forgery.

    Previous
    Next