FortiWeb-Cloud WAFaaS - Known Attacks Prevention

Introduction

FortiWeb Cloud defends against attacks in OWASP Top 10 such as Cross-site scripting (XSS), SQL Injection, Generic Attacks, Known Exploits, and Trojans, etc using continuously updated signatures. FortiWeb Cloud parses messages in the packet, compares them with the signatures, and takes specified actions on the packets.

Known Attacks is enabled by default after you add an application.

For Signature Based Detection, you can use attack signatures to detect application layer attacks that try to exploit a known web vulnerability.

Configure these settings:

  • Cross Site Scripting Enable to prevent a variety of cross-site scripting (XSS) attacks, such as varieties of CSRF (cross-site request forgery).
  • SQL Injection Enable to prevent SQL injection attacks, such as blind SQL injection.
  • Generic Attacks Enable to prevent other common attacks, including a variety of injection threats that do not use SQL, such as local file inclusion (LFI) and remote file inclusion (RFI).
  • Known Exploits Enable to prevent known exploits.
  • Trojans Enable to prevent malware attacks and prevent accessing Webshell located on server.

Goal of this exercise is to use Signature Based Detection to block multiple Web Known Attacks and see how to easily tune False Positives by creating Signature Exceptions from Attack Log.

1. Verification

  • Global > Applications > select your application Web# (# equals your attendee number) > ADD MODULES

  • Check if Known Attacks module is ON

  • Save

2. Configuration

  • Select Known Attacks module.

  • Check if all Signature Based Detection are ON.

  • Save

Note: Sensitivity Level, by default is set to Level 1, this means the least number of Signatures are matched and suitable for PoCs. However, for PenTests you should set the Sensitivity Level to the maximum 4. Which will enable all signatures and should thus prevent attacks from getting through.

3. Test

Inject multiple inputs in your application page in following order by browsing https://wwwXX.fortiworkshop.nl/<input>

  • SQL injection: https://wwwXX.fortiworkshop.nl/?p=1 or 1=1

  • XSS: https://wwwXX.fortiworkshop.nl/?p=<script>Alert("HACK")<\script>

  • Command Injection: https://wwwXX.fortiworkshop.nl/?p=cmd.exe

  • Known Exploits: https://wwwXX.fortiworkshop.nl/?wp-verify-link=test

  • Trojan: https://wwwXX.fortiworkshop.nl/?act=encoder

You should be denied for each input as per Known Attack detection.

4. Attack logging

  • FortiWeb-Cloud Attack Logs are now viewed within Threat Analytics.

Threat Analytics

AI-based Threat Analytics Help Zoom In on the Most Important Threats

  • Security analysts face a rapidly evolving threat landscape that can overwhelm them with security alerts. Threat actors continue to launch increasingly sophisticated attack campaigns that leverage new attack frameworks, vast botnets, and new vulnerabilities. The situation facing the security analyst becomes even more challenging as their organizations move more applications to the cloud, and those applications increasingly deliver critical line of business capabilities. As the attack surface for applications continues its rapid evolution and expansion, security analysts need better tools to keep up with the growing volume of alerts generated by their security tools.
    • Key Benefits
      • Simplifies threat detection and response
      • Speeds up security alerts investigation
      • Helps analysts focus on the most important threats
      • Insights provide suggestions to harden security based on findings
      • Ingests events from across your entire hybrid cloud environments
      • Alleviates alert fatigue
  • For more information about Threat Analytics please review the datasheet.

  • Accessing Threat Analytics is via the FortiWeb-Cloud portal and there you will find the Attack Logs.

  • Check Client IP address of each attack (should be yours).

Note: Adding FortiWeb Gateways is covered within the FortiWeb Machine Learning Workshop.

5. FortiView

  • FORTIVEW > Threat by Type.

  • Drill Down on Known Attacks or SQL/XSS Syntax Based Detection threat category.

  • Check Sources/Countries/Methods/URLs.

6. False Positive tuning

Creating exceptions from Attack Log as for False Positive tuning.
(be aware that you might need more than one exception-rule, due to multiple signatures matching the attack)

  • LOGS > Attack Logs > open each type of "Known Attacks" message.

  • SQL injection

    • Check the Matched Pattern by Click to collapse Packet Details
    • Add Exception
    • OK
    • Resend the attack https://wwwXX.fortiworkshop.nl/?p=1 or 1=1

You should be allowed due to the matching exception you created.

  • XSS
    • Check the Matched Pattern by Click to collapse Packet Details
    • Add Exception
    • OK
    • Resend the attack https://wwwXX.fortiworkshop.nl/?p=<script>

You should be allowed as matching the created exception.

  • Command Injection
    • Check the Matched Pattern by Click to collapse Packet Details
    • Add Exception
    • OK
    • Resend the attack https://wwwXX.fortiworkshop.nl/?p=cmd.exe

You should be allowed as matching the created exception.

  • Known Exploits
    • Check the Matched Pattern by Click to collapse Packet Details
    • Add Exception
    • OK
    • Resend the attack https://wwwXX.fortiworkshop.nl/?wp-verify-link=test

You should be allowed as matching the created exception.

  • Trojan
    • Check the Matched Pattern by Click to collapse Packet Details
    • Add Exception
    • OK
    • Resend the attack https://wwwXX.fortiworkshop.nl/?act=encoder

You should be allowed as matching the created exception.

7. Restore to default configuration

  • SECURITY RULES > Known Attacks

  • Remove your exceptions.