Lab 2 - Machine Learning-AD - FortiWeb-Cloud Workshop

FortWeb as a Service Machine Learning - Anomaly Detection

Introduction

Machine learning that automatically and continuously models your application and eliminates manual tuning.

Especially useful for businesses that don't have a web application security specialist.

1. Setup

After you login you will see the Applications view

Click on your Web# in this example Web1, this will open you Application Dashboard.

Notice During the onboarding exercise we set the Site in Blocking Mode.

When you set the site to Blocking Mode during the onboarding, this enables DDoS Prevention, we need to disable this before we do the Machine Learning Anomaly Detection.
Navigate to the DDOS PREVENTION menu

Toggle the DDoS Prevention to OFF and Save

Navigate to the BOT MITIGATION menu

Toggle the Known Bad Bots to OFF and Save

Check Machine Learning Anomaly Detection is enabled
Navigate to the ADD MODULES menu

Enable Application Delivery -> Rewriting Request.

From within the Application Delivery - Rewriting Request, the X-Forwarded-For http header needs to be enabled for this lab exercise to allow ML-AD to build the model. FortiWeb-Cloud prevents the pollution of the learning model, by only allowing 30 unique requests per IP address for model building.

This is not best practice, but required for the Lab only!

2. ML - Anomaly Detection

Click on Overview
This will be empty

Click on TreeView
This will be empty

Your environment is now ready to build the ML-AD

3. ML- Building

Log into your webserver with SSH from your laptop on port 2222.
Replace # with your your assigned attendee number.
The password is fortinet

ssh -p 2222 user#@stepstone.fortiworkshop.nl

Run the following command to start traffic generator tool.

ml-ad-simulator

The traffic generator tool will provide you with some menu options.

Select option 1, to send 3000 reguests to your website

Go back to the FWBaaS GUI and look at the TreeView
FWBaaS is now collcting data to build the ML-AD model.

Refresh and you will see FWBaaS model building

At the end of the script, FWBaaS will move the parameters it learned into Running mode.

4. Testing

Access your website https://www#.fortiworkshop.nl/fwb/index.html (replace # with your attendee number)

Attack the page using an attack pattern from the list at the bottom of this page.

Note Some of these may no longer be unknown attacks.

Example attack

The attack is blocked

The Attack Log is now under Threat Analytics

The Attack Log is now displayed.

Expand the error by clicking down arrow

You can see the attack was blocked by Machine Learning

More detail on the attack be found by expanding the data packet detail

This workshop is now complete.

5. Sample Attacks

Example manual tests (Command Injection, XSS, SQL, Format strings, and Zero-day)

Command injection
    * /%3F%3F%3F/1%3F - /???/1?
    * C;~/r.sh- c;~/r.sh

SQLi
    * 24-1EwfJWguQV
    * A%20’DIV’%20B – A ‘DIV’ B

Cross Site Scripting
    * Window%20\[‘ale’+’rt’](1) = window ‘aler’+’rt’](1)
    * 1%5D%3Ba%3Deval%3b%3Dalert%3Ba(b(17))%3B%2F%2F – 1];a=eval;b=alert;a(b(17));//
    * ___=1%3F’ert(123)’:0,%20_20=1%3F’al’:0.%20__=1%3F’ev’:0.%20k=window,%20[__%2B_](_%2B___) - ___=1?’ert(123)’:0, _=1?’al’:0, __=1?’e’

Format string attacks
    * %X%X%X%X%X%X%X%X%X%X - %X%X%X%X%X%X%X%X%X%X
    * %p%P%P%P%P%P%P%P%P%P%P - %P%P%P%P%PP%P%P%P%PO

Zero-day attacks for Machine Learning
    * Zero-day Remote Exploit         = %X%X%X%X%X%X%X%X%X%X - %X%X%X%X%X%X%X%X%X%X
    * Zero-day SQLinjection (SQLi)    = abc;$compress_message%253dgzcompress("hack%2520message",%252012)