Vulnerability scans

You can scan for known vulnerabilities on your web servers and web applications, helping you to design protection profiles that are an effective and efficient use of processing resources.

Vulnerability reports from a certified vendor can help you comply with regulations and certifications that require periodic vulnerability scans, such as Payment Card Industry Data Security Standard (PCI DSS).

Run vulnerability scans during initial FortiWeb deployment (see How to set up your FortiWeb) and any time you are staging a new version of your web applications. You may also be required by your compliance regime to provide reports on a periodic basis, such as quarterly.

Each vulnerability scan starts from an initial URL, authenticates if set up to do so, then scans for vulnerabilities in web pages that it crawls to from links on the initial page. After performing the scan, the FortiWeb appliance generates a report from the scan results.

Create and run web vulnerability scans early in the configuration of your FortiWeb appliance. Use the reports to locate vulnerabilities and fine-tune your protection settings.

 

If you have many web servers, you may want a FortiScan appliance to:

  • deepen vulnerability scans
  • integrate patch deployment
  • prioritize and track fixes via ticketing
  • offload and distribute scans to improve performance and remove bottlenecks
To run a web vulnerability scan

1.  Optionally, configure email settings. Email settings included in vulnerability scan profiles cause FortiWeb to email scan reports (see Configuring email settings).

2.  Prepare the staging or development web server for the scan (see Preparing for the vulnerability scan).

3.  Create a scan schedule, unless you plan to execute the scan manually. The schedule defines the frequency the scan will be run (see Scheduling web vulnerability scans).

4.  Create a scan profile. The profile defines which vulnerabilities to scan for (see Configuring vulnerability scan settings).

5.  Create a scan policy. The policy integrates a scan profile and schedule (see Running vulnerability scans).

6.  Either start the vulnerability scan manually (see Manually starting & stopping a vulnerability scan), or wait for it to run automatically according to its schedule.

7.  Examine vulnerability scan report. The report provides details and analysis of the scan results (see Viewing vulnerability scan reports).

See also

Preparing for the vulnerability scan

For best results, before running a vulnerability scan, you should prepare the network and target hosts for the vulnerability scan.

Live web sites

Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites. Instead, duplicate the web site and its database in a test environment such as a staging server and perform the scan in that environment. For more information, see Scan Mode.

Network accessibility

You may need to configure each target host and any intermediary NAT or firewalls to allow the vulnerability scan to reach the target hosts.

Traffic load & scheduling

You should talk to the owners of target hosts to determine an appropriate time to run the vulnerability scan. You can even schedule in advance the time that the FortiWeb will begin the scan.

For example, you might schedule to avoid peak traffic hours, to restrict unrelated network access, and to ensure that the target hosts will not be powered off during the vulnerability scan.

To determine the current traffic load, see Real Time Monitor widget. For scheduling information, see Scheduling web vulnerability scans.

Rapid access can result in degraded network performance during the scan. If you do not rate limit the vulnerability scan, some web servers could perceive its rapid rate of requests as a denial of service (DoS) attack. You may need to configure the web server to omit rate limiting for connections originating from the IP address of the FortiWeb appliance. Alternatively, you can configure the vulnerability scan to send requests more slowly. See Delay Between Each Request.
See also

Scheduling web vulnerability scans

Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Schedule enables you to configure vulnerability scan schedules.

A vulnerability scan schedule defines when the scan will automatically begin, and whether the scan is a one-time or periodically recurring event.

To configure a vulnerability scan schedule

1.  Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Schedule.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions.

2.  Click Create New.

A dialog appears.

3.  Configure these settings:

Setting name Description
Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Type

Select the type of schedule:

  • One Time — Run the vulnerability scan once.
  • Recurring — Run the vulnerability scan periodically.
Time Select the time of day to run the scan.
Date

Select the date to run the scan.

This setting is available only if Type is One Time.

Day

Select the days of the week to run the scan.

This setting is available only if Type is Recurring.

4.  Click OK.

5.  To use the profile, select it in a web vulnerability scan policy (see Running vulnerability scans).

See also

Configuring vulnerability scan settings

Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Profile enables you to configure vulnerability scan profiles.

A vulnerability scan profile defines a web server that you want to scan, as well as the specific vulnerabilities to scan for. Vulnerability scan profiles are used by vulnerability scan policies, which determine when to perform the scan and how to publish the results of the scan defined by the profile.

To configure a vulnerability scan profile

1.  If FortiWeb must authenticate in order to reach all URLs that will be involved in the vulnerability scan, configure the web application (if it provides form-based authentication) with an account that FortiWeb can use to log in.

For best results, the account should have permissions to all functionality used by the web site. If URLs and inputs vary by account type, you may need to create multiple accounts — one for each non-overlapping set — and run separate vulnerability scans for each account.

2.  Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Profile.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions.

3.  Click Create New.

A dialog appears.

4.  Configure these settings:

Setting name Description
Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Hostname/IP or URL

Type the fully qualified domain name (FQDN), IP address, or full URL to indicate which directory of the web site you want to scan. Behavior of the scan varies by the type of the entry:

  • A FQDN/IP such as www.example.com. Assume HTTP and scan the entire web site located on this host.
  • A partial URL such as https://webmail.example.com/dir1/. Use the protocol specified in the URL, and scan the web pages located in this directory of the web site. Other directories will be ignored.
  • A full URL such as http://example.com/dir1/start.jsp. Use the protocol specified in the URL, starting from the web page in the URL, and scan all local URLs reachable via links from this web page that are located within the same subdirectory.

Links to external web sites and redirects using HTTP 301 Moved Permanently or 302 Moved Temporarily or Found will not be followed.

Unless you will enter an IP address for the host, you must have configured a DNS server that the FortiWeb appliance can use to query for the FQDN. For details, see Configuring DNS settings.

Note: This starting point for the scan can be overridden if the web server automatically redirects the request after authentication. See Login with HTTP Authentication and Login with specified URL/data.

Scan

Enable detection of any of the following vulnerabilities that you want to include in the scan report:

  • Common Web Server Vulnerability (outdated software and software with known memory leaks, buffer overflows, and other problems)
  • XSS (Cross-site Scripting)
  • SQL Injection
  • Source-code Disclosure
  • OS Commanding
Scan Mode

Select whether the scan job will use Basic Mode (use HTTP GET only and omit both user-defined and predefined sensitive URLs) or Enhanced Mode (use both HTTP POST and GET, excluding only user-defined URLs).

Also configure Exclude scanning following URLs.

Basic Mode will avoid alterations to the web site’s databases, but only if all inputs always uses POST requests. It also omits testing of the following URLs, which could be sensitive:

  • /formathd
  • /formatdisk
  • /shutdown
  • /restart
  • /reboot
  • /reset

Caution: Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites, even if you use Basic Mode. Instead, duplicate the web site and its database into a test environment, and then use Enhanced Mode with that test environment.
Basic Mode cannot be guaranteed to be non-destructive. Many web sites accept input through HTTP GET requests, and so it is possible that a vulnerability scan could result in database changes, even though it does not use POST. In addition, Basic Mode cannot test for vulnerabilities that are only discoverable through POST, and therefore may not find all vulnerabilities.

Request Timeout Type the number of seconds for the vulnerability scanner to wait for a response from the web site before it assumes that the request will not successfully complete, and continues with the next request in the scan. It will not retry requests that time out.
Delay Between Each Request

Type the number of seconds to wait between each request.

Some web servers may rate limit the number of requests, or blacklist clients that issue continuous requests and therefore appear to be a web site harvester or denial of service (DoS) attacker. Introducing a delay can be useful to prevent the vulnerability scanner from being blacklisted or rate limited, and therefore slow or unable to complete its scan.

Note: Increasing the delay will increase the time required to complete the scan.

5.  Click Login Option’s blue arrow to expand the section, then configure the following:

Setting name Description
Login with HTTP Authentication

Enable to use basic HTTP authentication if the web server returns HTTP 401 Unauthorized to request authorization. Also configure User and Password.

Alternatively, configure Login with specified URL/data.

After authentication, if the web server redirects the request (HTTP 302), the FortiWeb appliance will use this new web page as its starting point for the scan, replacing the URL that you configured in Hostname/IP or URL.

Note: If a web site requires authentication and you do not configure the vulnerability scan to authenticate, the scan results will be incomplete.

User Type the user name to provide to the web site if it requests HTTP authentication.
Password Type the password corresponding to the user name.
Login with specified URL/data

Enable to authenticate if the web server does not use HTTP 401 Authorization Required, but instead provides a web page with a form that allows the user to authenticate using HTTP POST. Also configure Authenticate URL and Authenticate Data.

After authentication, if the web server redirects the request (HTTP 302 Found), the FortiWeb appliance will use this new web page as its starting point for the scan, replacing the URL that you configured in Hostname/IP or URL.

Note: If a web site requires authentication and you do not configure it, the scan results will be incomplete.

Authenticate URL Type the URL, such as /login.jsp, that the vulnerability scan will use to authenticate with the web application before beginning the scan.
Authenticate Data Type the parameters, such as userid=admin&password=Re2b8WyUI, that will be accompany the HTTP POST request to the authentication URL, and contains the values necessary to authenticate. Typically, this string will include user name and password parameters, but may contain other variables, depending on the web application.

6.  Click Scan Web Site URLs Option’s blue arrow to expand the section, then configure the following:

Setting name Description
Crawl entire website automatically

Select this option to automatically follow links leading from the initial starting point that you configured in Hostname/IP or URL. The vulnerability scanner will stop following links when it has scanned the number of URLs configured in Crawl URLs Limit.

Alternatively, select Specify URLs for scanning.

Crawl URLs Limit

Type the maximum number of URLs to scan for vulnerabilities while automatically crawling links leading from the initial starting point.

Note: The actual number of URLs scanned could exceed this limit if the vulnerability scanner reaches the limit but has not yet finished crawling all links on a page that it has already started to scan.

Specify URLs for scanning

Select this option to manually specify which URLs to scan, such as /login.do, rather than having the vulnerability scanner automatically crawl the web site. Enter each URL on a separate line in the text box.

You can enter up to 10,000 URLs.

Exclude scanning following URLs

Enable to exclude specific URLs, such as /addItem.cfm, from the vulnerability scan. Enter each URL on a separate line in the text box.

This may be useful to accelerate the scan if you know that some URLs do not need scanning. It could also be useful if you are scanning a live web site and wish to prevent the scanner from inadvertently adding information to your databases.

You can enter up to 1,000 URLs.

7.  Click OK.

8.  To use the profile, select it in a web vulnerability scan policy (see Running vulnerability scans).

See also

Running vulnerability scans

In order to run a vulnerability scan, you must apply a schedule (if any) to a profile of settings, as well as providing a few additional details.

A vulnerability scan policy defines the scheduling type of scan (an immediate scan or a scheduled scan), the profile to use, the file format of the report, and recipients.

To configure a web vulnerability scan policy

1.  Configure a vulnerability scan profile. See Configuring vulnerability scan settings.

2.  If the scan will run by a schedule instead of being manually initiated, create a vulnerability scan schedule. See Scheduling web vulnerability scans.

3.  Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy.

Field Description
Status Indicates whether the scan is idle (the status indicator is solid green) or running (the status indicator is flashing red and yellow).
Start/Stop

The Start/Stop icon appears only if the policy is configured as Run Now. If so, the icon changes depending on the current status of the scan:

  • Stop — The scan associated with the policy is in progress.
  • Start — The scan associated with the policy is not in progress.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions.

4.  Click Create New.

A dialog appears.

5.  Configure these settings:

Setting name Description
Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
Type

Select the scheduling type, either:

Schedule

Select the predefined schedule to use for the scan. See Scheduling web vulnerability scans.

This option appears only if the Type is Schedule.

Profile Select the profile to use when running the vulnerability scan. See Configuring vulnerability scan settings.
Report Format

Enable one or more file formats for the vulnerability scan report:

  • HTML
  • MHT (MIME HTML, which can be included in email)
  • PDF
  • RTF (Rich Text Format, which can be opened in word processors such as OpenOffice or Microsoft Word)
  • TXT (plain text)
Email Select the email settings, if any, to use in order to send results of the vulnerability scan. See Configuring email settings.

6.  Click OK.

If Type is Run Now, the scan begins immediately. Otherwise, it begins at the time that you configured in Schedule. Time required varies by the network speed and traffic volume, load of the target hosts (especially the number of request timeouts), and your configuration of Delay Between Each Request.

When the scan is complete, FortiWeb generates a report based on the scan results. See Viewing vulnerability scan reports.

See also

Manually starting & stopping a vulnerability scan

If the schedule type associated with the vulnerability scan policy is set to Run Now, You can manually start and stop a scan. (You cannot manually start a scan that is scheduled.)

To manually start a scan

1.  Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy.

2.  Locate a vulnerability scan whose Schedule column says Run Now and whose status indicator is green (idle).

You cannot manually start a scan that has been scheduled in advance, or that is currently in progress.

3.  In the row for that vulnerability scan, click the Start icon.

FortiWeb connects to the target host configured in the profile and, if enabled to do so, authenticates. The status indicator flashes red and yellow while the scan is running.

When the scan is finished the status indicator returns to green (idle).

A summary of scan results appears in the section hidden by the blue expansion arrow. To reveal them, click the arrow.

You can view and/or download the full scan report via the web UI (see Viewing vulnerability scan reports and Downloading vulnerability scan reports). If email settings were selected in the scan, a scan report is also delivered to its recipients.

To stop a scan

1.  Go to Web Vulnerability Scan > Web Vulnerability Scan > Web Vulnerability Scan Policy.

2.  Locate a vulnerability scan whose status indicator is flashing red and yellow, indicating that the scan is running.

3.  In the row for that vulnerability scan, click the Stop icon.

The vulnerability scan stops. The status indicator returns to green (idle). You can In the Name column, you can click the blue expansion arrow to view a summary of the scan results to the point where you stopped the scan.

See also

Viewing vulnerability scan reports

After a web vulnerability scan completes, the FortiWeb appliance generates a report summarizing and analyzing the results of the scan. If you configured it to email the report to you when complete, you may receive the report in your inbox. However, you can also view and download it through the web UI.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions.

Web Vulnerability Scan > Web Vulnerability Scan > Scan History

Field Description
View Click to view a scan report. See Downloading vulnerability scan reports.
Download Click to download a copy of a scan report. See Downloading vulnerability scan reports
Target Server Displays the host name of the server that was scanned for vulnerabilities. Click this link to view the scan report associated with this server.
URLs Found Displays the number of URLs on the target host that were scanned for vulnerabilities.
Alerts Found Displays the total number of vulnerabilities discovered during the scan.
Scan Time Displays the date and time that the scan was performed.
Scan Mode Indicates whether the scan job used Basic Mode (use HTTP GET only and omit both user-defined and predefined sensitive URLs) or Enhanced Mode (use both HTTP POST and GET, excluding only user-defined URLs).

Scan report contents

The web vulnerability scan report is divided into sections for a summary, discovered vulnerabilities and affected URLs.

Viewing a vulnerability report

See also

Downloading vulnerability scan reports

The report contents are the same when using the Download or View feature, though the presentation varies.

To download a scan report

1.  Go to Web Vulnerability Scan > Web Vulnerability Scan > Scan History.

2.  Mark the check box next to the scan report that you want to download.

3.  Click Download.

A dialog appears.

4.  Click Download Report File.

A file download prompt appears.

5.  Click Save.

6.  If prompted, select the location on your computer to store the HTML report.

See also