Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • WAF Solutions against OWASP Top 10 Risks

    Home FortiWeb 7.6.3 WAF Solutions against OWASP Top 10 Risks
    7.6.3
    7.6.3

    Mitigating Injection attacks: A focused case study on Reflected XSS

    Mitigating Injection attacks: A focused case study on Reflected XSS

    Injection attacks are a type of security vulnerability where an attacker can insert or "inject" malicious code or commands into an application, typically through user input. FortiWeb can protect against various injection attacks including malicious code, SQL injection, cross-site scripting (XSS), path traversal, etc. In this scenario, we will take Reflected XSS attack as case study to illustrate the related features on FortiWeb.

    Reflected XSS Attacks

    The website’s search function reflects user input in the search results page without proper sanitization. An attacker crafts a malicious URL with a script in the search query, which executes when the URL is visited.

    • The attacker identifies that the website’s search function reflects user input in the search results page without proper sanitization. For example:

      • A legitimate search query: laptops

      • Resulting HTML: <h1>Results for your search: laptops</h1>

    • The attacker crafts a malicious URL with a script embedded in the search query. Instead of a normal search term, the attacker uses a script:

      • Malicious search query: <script>alert('XSS')</script>

      • Resulting URL: https://example.com/search?q=<script>alert('XSS')</script>

    • The attacker exploits social engineering or other vulnerabilities to get a user to visit this malicious URL. When the user visits the malicious URL, the search query containing the script is reflected in the page’s HTML without proper sanitization. The resulting HTML might look like this:

      <h1>Results for your search: <script>alert('XSS')</script></h1>

    • When the page is rendered by the browser, the embedded script executes, showing an alert box.

    This is a simple demonstration, but in a real attack, the script could do anything from stealing cookies, capturing keystrokes, or performing actions on behalf of the user without their consent. This type of attack is known as Reflected XSS.

    How to prevent the attack

    FortiWeb provides the following features to detect and block injection attacks. Injections can be detected based on a signature library, its syntax, and a machine learning model.

    • Signature

      The Signature module uses a signature library to block attacks that match specific characteristics, such as malicious code, SQL injection, cross-site scripting (XSS), path traversal, etc. The signature library is regularly updated to continuously improve known attack signatures.

    • SQL/XSS Syntax-based detection

      FortiWeb's syntax-based SQL/XSS Injection detection analyzes the syntax of the parameters, cookies, HTTP headers, etc. It uses Lexical analysis and HTML/JavaScript syntax parsing to check whether the request is an injection. At the same time, it performs JavaScript compiling for suspicious codes and checks the compiled results, which prevents attackers from obfuscating XSS code to bypass the Signature-based XSS Injection detection.

    • Machine Learning based Anomaly Detection

      The ML based Anomaly Detection builds up a machine learning model to observe the URLs, parameters, and HTTP Method of HTTP and/or HTTPS sessions passing to your web servers. It can effectively filter out traffic with abnormal parameter values.

    Enabling Cross Site Scripting detection in a Signature policy

    Enable Cross Site Scripting and Cross Site Scripting (Extended) in a Signature policy to prevent a variety of cross-site scripting (XSS) attacks. For more information on this feature, see Blocking known attacks

    1. Go to Web Protection > Known Attacks > Signatures.
    2. Click Create New.
    3. Configure the basic settings:
      NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.

      Sensitivity Level

      Higher number means more signatures are included.

      Please note that increasing the level adds additional signatures but also adds the chance of blocking legitimate traffic.

    4. There are several signature categories. Enable at least Cross Site Scripting and Cross Site Scripting (Extended).
      Cross Site Scripting

      Enable to prevent a variety of cross-site scripting (XSS) attacks, such as some varieties of CSRF (cross-site request forgery).

      All of this attack’s signatures are automatically enabled when you enable detection. To disable a specific signature, click the blue arrow to expand the list, then clear that signature’s check box.

      Attack log messages contain Cross Site Scripting and the subtype and signature ID (for example, Cross Site Scripting : Signature ID 010000063) when this feature detects a possible attack.

      Cross Site Scripting (Extended)

      Enable to prevent a variety of XSS attacks.

      Unlike Cross Site Scripting, the extended signatures are more likely to cause false positives. However, they may be necessary in specific, high-security data centers. If one of the signatures is causing false positives and you need to instead configure a custom attack signature that will not cause false positives, you can individually disable that signature.

    5. Set the action to Alert & Deny.
    6. Click OK.
    Configuring SQL/XSS Syntax-based Detection

    Enable XSS Syntax Based Detection to detect XSS injection by analyzing the HTML/JavaScript syntax. It does HTML document parsing and JavaScript compiling, and checks whether the compiled results include valid HTML and JavaScript codes. For more information on this feature, see Syntax-based SQL/XSS injection detection.

    1. Go to Web Protection > Advanced Protection > SQL/XSS Syntax Based Detection.
    2. Click Create New.
    3. Configure these settings.

      Name

      Type a name that can be referenced by other parts of the configuration.

      Scan Target

      Click the icon to select the elements in the request that you want FortiWeb to scan:

      • Parameter Name

      • Parameter Value

      • Request Cookie

      • Request User-Agent

      • Request Referer

      • Other Request Header

      Status

      Click to enable or disable the attack type detection for this rule.

      Action

      Select Alert & Deny.

      Severity

      Select High.

      Threat Weight

      Set the weight for the threat by dragging the bar. The threat score is calculated by Client Management. The client exceeding the threat score will be blocked.

      Trigger Action

      In each row, select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of each rule. For details, see Viewing log messages.

      SQL Syntax Based Detection

      Configure to prevent a variety of SQL injection attacks.

      The syntax-based SQL detection approach uses Lexical analysis to verify whether requests are true SQL Injection attacks. This virtually eliminates SQL Injection false positives and false negatives.

      XSS Syntax Based Detection

      Configure to prevent XSS injection attacks.
      The syntax-based XSS detection approach detects an XSS injection attack by analyzing the HTML/JavaScript syntax.
      It does HTML document parsing and JavaScript compiling, and checks whether the compiled results include valid HTML and JavaScript codes.

    4. Click OK.
    Configuring ML based Anomaly Detection

    FortiWeb uses machine learning model to analyze the parameters in your domain and decide whether the value of the parameter is legitimate or not. The machine learning model is built upon vast amount of parameter value samples collected from the real requests to the domain. For more information on this feature, see ML Based Anomaly Detection.

    1. Go to Policy > Server Policy.
    2. Select an existing server policy.
      Please note that the machine learning policies can't be created during the server policy creation process. You should first create a server policy, then click its Edit button to create a machine learning policy.
    3. Scroll down to the Machine Learning section at the bottom of the page, click the Anomaly Detection tab, then click Create. The New Anomaly Detection dialog opens.
    4. Enter "www.example.com" in the Domain field, so that the system collects samples and builds up a machine learning model to protect the domains.
    5. Click OK.
    6. Go to Web Protection > ML Based Anomaly Detection .
    7. Double-click the server policy that contains the desired anomaly detection policy (or highlight it and then click the Edit button on top of the page) to open it. The Edit Anomaly Detection Configuration page opens, which breaks down anomaly detection policy into several sections, each of which has various parameters you can use to configure the policy.
    8. Set the Action to Alert & Deny.
    9. Configure additional settings as needed.
    10. Click OK.
    Next step

    Apply the security rules to web protection profile and then reference the profile in a server policy. See:

    Make sure to enable Client Management in Policy > Web Protection Profile.

    Additional practices to prevent Reflected XSS

    In addition to configure security rules on FortiWeb, it's highly recommended to review the settings of your application servers as well.

    Input Sanitization and Validation

    Ensure that all user inputs are properly sanitized and validated before reflecting them in the HTML output. This involves:

    • Escaping: Convert special characters to their HTML entity equivalents. For example, < becomes &lt; and > becomes &gt;.

    • Validation: Only allow expected input formats (e.g., alphanumeric for search terms).

    Content Security Policy (CSP)

    Implement a robust Content Security Policy to restrict the sources from which scripts can be executed. This can help mitigate the impact of an XSS vulnerability.

    By following these steps and leveraging FortiWeb’s capabilities, you can effectively mitigate the risk of injection attacks.

    Previous
    Next

    Mitigating Injection attacks: A focused case study on Reflected XSS

    Mitigating Injection attacks: A focused case study on Reflected XSS

    Injection attacks are a type of security vulnerability where an attacker can insert or "inject" malicious code or commands into an application, typically through user input. FortiWeb can protect against various injection attacks including malicious code, SQL injection, cross-site scripting (XSS), path traversal, etc. In this scenario, we will take Reflected XSS attack as case study to illustrate the related features on FortiWeb.

    Reflected XSS Attacks

    The website’s search function reflects user input in the search results page without proper sanitization. An attacker crafts a malicious URL with a script in the search query, which executes when the URL is visited.

    • The attacker identifies that the website’s search function reflects user input in the search results page without proper sanitization. For example:

      • A legitimate search query: laptops

      • Resulting HTML: <h1>Results for your search: laptops</h1>

    • The attacker crafts a malicious URL with a script embedded in the search query. Instead of a normal search term, the attacker uses a script:

      • Malicious search query: <script>alert('XSS')</script>

      • Resulting URL: https://example.com/search?q=<script>alert('XSS')</script>

    • The attacker exploits social engineering or other vulnerabilities to get a user to visit this malicious URL. When the user visits the malicious URL, the search query containing the script is reflected in the page’s HTML without proper sanitization. The resulting HTML might look like this:

      <h1>Results for your search: <script>alert('XSS')</script></h1>

    • When the page is rendered by the browser, the embedded script executes, showing an alert box.

    This is a simple demonstration, but in a real attack, the script could do anything from stealing cookies, capturing keystrokes, or performing actions on behalf of the user without their consent. This type of attack is known as Reflected XSS.

    How to prevent the attack

    FortiWeb provides the following features to detect and block injection attacks. Injections can be detected based on a signature library, its syntax, and a machine learning model.

    • Signature

      The Signature module uses a signature library to block attacks that match specific characteristics, such as malicious code, SQL injection, cross-site scripting (XSS), path traversal, etc. The signature library is regularly updated to continuously improve known attack signatures.

    • SQL/XSS Syntax-based detection

      FortiWeb's syntax-based SQL/XSS Injection detection analyzes the syntax of the parameters, cookies, HTTP headers, etc. It uses Lexical analysis and HTML/JavaScript syntax parsing to check whether the request is an injection. At the same time, it performs JavaScript compiling for suspicious codes and checks the compiled results, which prevents attackers from obfuscating XSS code to bypass the Signature-based XSS Injection detection.

    • Machine Learning based Anomaly Detection

      The ML based Anomaly Detection builds up a machine learning model to observe the URLs, parameters, and HTTP Method of HTTP and/or HTTPS sessions passing to your web servers. It can effectively filter out traffic with abnormal parameter values.

    Enabling Cross Site Scripting detection in a Signature policy

    Enable Cross Site Scripting and Cross Site Scripting (Extended) in a Signature policy to prevent a variety of cross-site scripting (XSS) attacks. For more information on this feature, see Blocking known attacks

    1. Go to Web Protection > Known Attacks > Signatures.
    2. Click Create New.
    3. Configure the basic settings:
      NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.

      Sensitivity Level

      Higher number means more signatures are included.

      Please note that increasing the level adds additional signatures but also adds the chance of blocking legitimate traffic.

    4. There are several signature categories. Enable at least Cross Site Scripting and Cross Site Scripting (Extended).
      Cross Site Scripting

      Enable to prevent a variety of cross-site scripting (XSS) attacks, such as some varieties of CSRF (cross-site request forgery).

      All of this attack’s signatures are automatically enabled when you enable detection. To disable a specific signature, click the blue arrow to expand the list, then clear that signature’s check box.

      Attack log messages contain Cross Site Scripting and the subtype and signature ID (for example, Cross Site Scripting : Signature ID 010000063) when this feature detects a possible attack.

      Cross Site Scripting (Extended)

      Enable to prevent a variety of XSS attacks.

      Unlike Cross Site Scripting, the extended signatures are more likely to cause false positives. However, they may be necessary in specific, high-security data centers. If one of the signatures is causing false positives and you need to instead configure a custom attack signature that will not cause false positives, you can individually disable that signature.

    5. Set the action to Alert & Deny.
    6. Click OK.
    Configuring SQL/XSS Syntax-based Detection

    Enable XSS Syntax Based Detection to detect XSS injection by analyzing the HTML/JavaScript syntax. It does HTML document parsing and JavaScript compiling, and checks whether the compiled results include valid HTML and JavaScript codes. For more information on this feature, see Syntax-based SQL/XSS injection detection.

    1. Go to Web Protection > Advanced Protection > SQL/XSS Syntax Based Detection.
    2. Click Create New.
    3. Configure these settings.

      Name

      Type a name that can be referenced by other parts of the configuration.

      Scan Target

      Click the icon to select the elements in the request that you want FortiWeb to scan:

      • Parameter Name

      • Parameter Value

      • Request Cookie

      • Request User-Agent

      • Request Referer

      • Other Request Header

      Status

      Click to enable or disable the attack type detection for this rule.

      Action

      Select Alert & Deny.

      Severity

      Select High.

      Threat Weight

      Set the weight for the threat by dragging the bar. The threat score is calculated by Client Management. The client exceeding the threat score will be blocked.

      Trigger Action

      In each row, select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of each rule. For details, see Viewing log messages.

      SQL Syntax Based Detection

      Configure to prevent a variety of SQL injection attacks.

      The syntax-based SQL detection approach uses Lexical analysis to verify whether requests are true SQL Injection attacks. This virtually eliminates SQL Injection false positives and false negatives.

      XSS Syntax Based Detection

      Configure to prevent XSS injection attacks.
      The syntax-based XSS detection approach detects an XSS injection attack by analyzing the HTML/JavaScript syntax.
      It does HTML document parsing and JavaScript compiling, and checks whether the compiled results include valid HTML and JavaScript codes.

    4. Click OK.
    Configuring ML based Anomaly Detection

    FortiWeb uses machine learning model to analyze the parameters in your domain and decide whether the value of the parameter is legitimate or not. The machine learning model is built upon vast amount of parameter value samples collected from the real requests to the domain. For more information on this feature, see ML Based Anomaly Detection.

    1. Go to Policy > Server Policy.
    2. Select an existing server policy.
      Please note that the machine learning policies can't be created during the server policy creation process. You should first create a server policy, then click its Edit button to create a machine learning policy.
    3. Scroll down to the Machine Learning section at the bottom of the page, click the Anomaly Detection tab, then click Create. The New Anomaly Detection dialog opens.
    4. Enter "www.example.com" in the Domain field, so that the system collects samples and builds up a machine learning model to protect the domains.
    5. Click OK.
    6. Go to Web Protection > ML Based Anomaly Detection .
    7. Double-click the server policy that contains the desired anomaly detection policy (or highlight it and then click the Edit button on top of the page) to open it. The Edit Anomaly Detection Configuration page opens, which breaks down anomaly detection policy into several sections, each of which has various parameters you can use to configure the policy.
    8. Set the Action to Alert & Deny.
    9. Configure additional settings as needed.
    10. Click OK.
    Next step

    Apply the security rules to web protection profile and then reference the profile in a server policy. See:

    Make sure to enable Client Management in Policy > Web Protection Profile.

    Additional practices to prevent Reflected XSS

    In addition to configure security rules on FortiWeb, it's highly recommended to review the settings of your application servers as well.

    Input Sanitization and Validation

    Ensure that all user inputs are properly sanitized and validated before reflecting them in the HTML output. This involves:

    • Escaping: Convert special characters to their HTML entity equivalents. For example, < becomes &lt; and > becomes &gt;.

    • Validation: Only allow expected input formats (e.g., alphanumeric for search terms).

    Content Security Policy (CSP)

    Implement a robust Content Security Policy to restrict the sources from which scripts can be executed. This can help mitigate the impact of an XSS vulnerability.

    By following these steps and leveraging FortiWeb’s capabilities, you can effectively mitigate the risk of injection attacks.

    Previous
    Next