FortiWeb-Cloud Vulnerability Scanning Lab

Introduction

The Vulnerability Scan module helps identify OWASP Top 10 flaws in web applications. You can get a comprehensive report with remediation recommendations to protect your web applications.

You now have the option to subscribe to the Vulnerability Scan service with a monthly plan on AWS, Azure, and Google Cloud.

By default, the Vulnerability Scan report is based on your current WAF configuration. It highlights the vulnerabilities that are still exposed to attackers given the existing configuration so that you can fine-tune the WAF settings to strengthen the security.

However, if you want to check out the vulnerabilities assuming the protection from FortiWeb Cloud was off, you can enable the Bypass WAF option at the top right corner of the Vulnerability Scan page.

Note This option is only available when the Advanced Configuration within the Global settings is switched on.

1. Launching the Vulnerability Scan.

Login to FortiWeb-Cloud with the credentials provided. From within your application, select VULNERABILITY SCAN.

  • To create the scan, select Create New:

  • Check the application name is correct and the port. The port should be 443.

  • Configuring the Scan is done by selecting the Gear icon

  • The Gear icon will open the FortiDAST portal, from where you can configure your scan.

2. Configuring the Scan

  • The scan is automatically authorized through the integration with FortiWeb-Cloud.

  • Click the OK button and you will see the Site has been Authorized

Note: If you do not configure the scan correctly, the application may be scanned fully. Configuring the scan is covered in the FortiDAST Workshop.

3. Running the Scan

  • The scan is run by selecting the Play icon within FortiWeb-Cloud.

Note: The scan can only be run after the application has been authorised.

4. Reviewing the scan

  • The scan results are reviewed by clicking on the reports icon:

  • This will open the FortiDAST console

  • From the FortiDAST console you can generate the reports.

  • To see the Vulnerabilities within the GUI, click the Vulnerabilities tab.

  • You can review the scan results.

Deleting the Scan

  • FortiWeb Cloud allows the deletion of scanning. Depending on how you purchase the Vulnerability scan affects the billing, and may require the customer to stop and delete the scan.

Billing

  • There are two ways to purchase Vulnerability scanning:

    • By SKUs, as annual or multi-year contracts.

    • From Cloud marketplaces

      • The billing cycle for Vulnerability Scan occurs monthly, and you will be charged on the date you initially add an application and subsequently on the same date each month. For instance, if you add an application on May 1st, your next billing date will be June 1st. If you happen to remove the application on May 15th and then re-add it on May 20th, you will be charged once at the time of re-adding the application. Following this, your next billing date will be on June 20th.

  • NOTE: Vulnerability Scan seats are non-transferable. Removing applications does not open a seat in your contract that can be replaced with a different application.

API Scanning

  • Applications with APIs can also be scanned with the Vulnerability Scan.

  • Can you complete this scan?

  • Tip: Setting up the scan is identical to setting up the web vulnerability scan. However, you need to configure the scan details within FortiDAST. Remember to configure API setting ;-)
  • You can do it!