Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security waf scanner

Web Application Vulnerability Scanner is a set of automated tools which perform black box test on web applications, to look for security vulnerabilities such as Cross-site scripting, SQL injection, command injection,source code disclosure and insecure server configuration.

To configure the web-vulnerability-scanner, you have to first configure, in the following order, (1) target-login-option, (2) profile, and (3) task. Then, with these completed, you can config security waf scanner.

Syntax

// first step login

config security web-vulnerability-scanner target-login-option

edit <name>

set type <none/basic/advanced>

// if basic then:

set username <string>

set password <string>

next

end

 

//optional

config security web-vulnerability-scanner exceptionlist

edit <name>

config domain_list

edit <id>

set pattern <string>

next

end

next

end

 

// second step profile

config security web-vulnerability-scanner profile

edit <name>

set pool-name <datasource>

set http-login-option <datasource>

set mimes-scan <enable/disable>

set files-scan <enable/disable>

set messages-scan <enable/disable>

set apps-scan <enable/disable>

set context-scan <enable/disable>

set crawl-limit <integer>

set exceptionlist <datasource>

set add_http_cookie <enable/disable>

set cookie-name <string> //optional

set cookie-value <string> //optional

next

end

 

// third step task

config security web-vulnerability-scanner task

edit <name>

set scheduler <datasource>

set profile <datasource>

// uses previously constructed profile

next

end

 

// last step: waf scanner

execute web-vulnerability-scan <start/stop> <datasource>

get security scan-report

// datasource uses previously created task

 

WVS Login configuration

Settings Guidelines

Name

Specify a name for the configuration.

type

Select from two types: 

  • None. Default.
  • Basic. Basic will tell you to specify a username and password. For the HTTP login type, you can choose simple HTTP credentials or HTTP-form for authentication. Default is none.
  • Advanced. HTTP POST HTML Form-based authentication in login. The user needs to provide the username, password, username field name and password field name to FortiADC.

username

Login username.

password

Login password.

username-field

Field name for the username (only for Advanced).

password-field

Field name of the password (only for Advanced).

extend_parameter

Other parameters in html form to login (only for Advanced).

auth-url

Full url for authentication (only for Advanced).

auth-target-url

Full url to POST for authentication (only for Advanced).

verify-url

Full url to verify the authentication (only for Advanced).

 

 

WVS Profile configuration

Settings Guidelines

Name

Specify a name for the configuration.

pool-name

Select a real sever from the real server pool.

http-login-option

Select an HTTP Login Option.

mime-scan

The mime signatures warn about server responses that have an interesting mime. For example anything that is presented as php-source will likely be interesting.

files-scan

The files signatures will use the content to determine if a response is an interesting file. For example, a SVN file.

messages-scan

The messages signatures look for interesting server messages. Most are based on errors, such as caused by incorrect SQL queries or PHP execution failures.

apps-scan

The apps signatures will help to find pages and applications who's functionality is a security risk by default. For example, phpinfo() pages that leak information or CMS admin interfaces.

context-scan

The context signatures are linked to injection tests. They look for strings that are relevant to the current injection test and help to highlight potential vulnerabilities.

crawl-limit

Specify a crawl limit.

exceptionlist

The exception list of scanner.

add_http_cookie

Add cookie to HTTP header.

 

WVS Task configuration

Settings Guidelines

name

Specify a name for the configuration.

scheduler

Select a scheduler from the schedule group.

profile

Select a profile.

 

WAF scanner configuration

Settings Guidelines

start

Start the web vulnerability task

stop

Stop the web vulnerability task

scan-report

Shows the report of the scans.

 

Example

// first step login

FortiADC-VM (root) # config security web-vulnerability-scanner target-login-option

FortiADC-VM (root) # edit 1

FortiADC-VM (1) # set type basic

FortiADC-VM (1) # set username me

FortiADC-VM (1) # set password dog

 

FortiADC-VM (1) # get

type : basic

username : me

password : *

 

next

end

 

// second step profile

FortiADC-VM (root) # config security web-vulnerability-scanner profile

 

FortiADC-VM (profile) # edit test

// Add new entry 'test'

FortiADC-VM (test) # set apps-scan enable

FortiADC-VM (test) # set pool-name Real_Server_Pool

 

FortiADC-VM (test) # set http-login-option 1

// uses previously created login-option

 

FortiADC-VM (test) # set crawl-limit 1500

 

 

FortiADC-VM (test) # get

pool-name : Real_Server_Pool

http-login-option : 1

mime-scan : disable

files-scan : enable

messages-scan : enable

apps-scan : enable

context-scan : enable

crawl-limit : 1500

 

next

end

 

// third step task

FortiADC-VM (root) # config security web-vulnerability-scanner task

 

FortiADC-VM (task) # edit task1

// Add new entry 'task1'

FortiADC-VM (task1) # get

scheduler : 

profile : 

 

FortiADC-VM (task1) # set scheduler 1

// comes from datasource

FortiADC-VM (task1) # profile test

// uses previously created profile

FortiADC-VM (task1) # get

scheduler : 1

profile : test

 

next

end

 

// last step: waf scanner

FortiADC-VM (root) # execute web-vulnerability-scan start

Usage: start/stop <taskname>

Command fail. Return code is -61 (Input is not as expected)

 

// need to name the task created earlier, 'task1'

FortiADC-VM (root) # execute web-vulnerability-scan start task1

FortiADC-VM (root) # get security scan-report

ID:0 Taskname:task1 Created Time:15:41:16,10-30-18

 

// example for advanced login

 

config security web-vulnerability-scanner target-login-option

edit "advanced"

set type advanced

set username username

set password password

set auth-url http://www.example.com

unset auth-target-url

unset verify-url

set username-field userfi

set password-field passfi

unset extend_parameter

next

end

config security waf scanner

Web Application Vulnerability Scanner is a set of automated tools which perform black box test on web applications, to look for security vulnerabilities such as Cross-site scripting, SQL injection, command injection,source code disclosure and insecure server configuration.

To configure the web-vulnerability-scanner, you have to first configure, in the following order, (1) target-login-option, (2) profile, and (3) task. Then, with these completed, you can config security waf scanner.

Syntax

// first step login

config security web-vulnerability-scanner target-login-option

edit <name>

set type <none/basic/advanced>

// if basic then:

set username <string>

set password <string>

next

end

 

//optional

config security web-vulnerability-scanner exceptionlist

edit <name>

config domain_list

edit <id>

set pattern <string>

next

end

next

end

 

// second step profile

config security web-vulnerability-scanner profile

edit <name>

set pool-name <datasource>

set http-login-option <datasource>

set mimes-scan <enable/disable>

set files-scan <enable/disable>

set messages-scan <enable/disable>

set apps-scan <enable/disable>

set context-scan <enable/disable>

set crawl-limit <integer>

set exceptionlist <datasource>

set add_http_cookie <enable/disable>

set cookie-name <string> //optional

set cookie-value <string> //optional

next

end

 

// third step task

config security web-vulnerability-scanner task

edit <name>

set scheduler <datasource>

set profile <datasource>

// uses previously constructed profile

next

end

 

// last step: waf scanner

execute web-vulnerability-scan <start/stop> <datasource>

get security scan-report

// datasource uses previously created task

 

WVS Login configuration

Settings Guidelines

Name

Specify a name for the configuration.

type

Select from two types: 

  • None. Default.
  • Basic. Basic will tell you to specify a username and password. For the HTTP login type, you can choose simple HTTP credentials or HTTP-form for authentication. Default is none.
  • Advanced. HTTP POST HTML Form-based authentication in login. The user needs to provide the username, password, username field name and password field name to FortiADC.

username

Login username.

password

Login password.

username-field

Field name for the username (only for Advanced).

password-field

Field name of the password (only for Advanced).

extend_parameter

Other parameters in html form to login (only for Advanced).

auth-url

Full url for authentication (only for Advanced).

auth-target-url

Full url to POST for authentication (only for Advanced).

verify-url

Full url to verify the authentication (only for Advanced).

 

 

WVS Profile configuration

Settings Guidelines

Name

Specify a name for the configuration.

pool-name

Select a real sever from the real server pool.

http-login-option

Select an HTTP Login Option.

mime-scan

The mime signatures warn about server responses that have an interesting mime. For example anything that is presented as php-source will likely be interesting.

files-scan

The files signatures will use the content to determine if a response is an interesting file. For example, a SVN file.

messages-scan

The messages signatures look for interesting server messages. Most are based on errors, such as caused by incorrect SQL queries or PHP execution failures.

apps-scan

The apps signatures will help to find pages and applications who's functionality is a security risk by default. For example, phpinfo() pages that leak information or CMS admin interfaces.

context-scan

The context signatures are linked to injection tests. They look for strings that are relevant to the current injection test and help to highlight potential vulnerabilities.

crawl-limit

Specify a crawl limit.

exceptionlist

The exception list of scanner.

add_http_cookie

Add cookie to HTTP header.

 

WVS Task configuration

Settings Guidelines

name

Specify a name for the configuration.

scheduler

Select a scheduler from the schedule group.

profile

Select a profile.

 

WAF scanner configuration

Settings Guidelines

start

Start the web vulnerability task

stop

Stop the web vulnerability task

scan-report

Shows the report of the scans.

 

Example

// first step login

FortiADC-VM (root) # config security web-vulnerability-scanner target-login-option

FortiADC-VM (root) # edit 1

FortiADC-VM (1) # set type basic

FortiADC-VM (1) # set username me

FortiADC-VM (1) # set password dog

 

FortiADC-VM (1) # get

type : basic

username : me

password : *

 

next

end

 

// second step profile

FortiADC-VM (root) # config security web-vulnerability-scanner profile

 

FortiADC-VM (profile) # edit test

// Add new entry 'test'

FortiADC-VM (test) # set apps-scan enable

FortiADC-VM (test) # set pool-name Real_Server_Pool

 

FortiADC-VM (test) # set http-login-option 1

// uses previously created login-option

 

FortiADC-VM (test) # set crawl-limit 1500

 

 

FortiADC-VM (test) # get

pool-name : Real_Server_Pool

http-login-option : 1

mime-scan : disable

files-scan : enable

messages-scan : enable

apps-scan : enable

context-scan : enable

crawl-limit : 1500

 

next

end

 

// third step task

FortiADC-VM (root) # config security web-vulnerability-scanner task

 

FortiADC-VM (task) # edit task1

// Add new entry 'task1'

FortiADC-VM (task1) # get

scheduler : 

profile : 

 

FortiADC-VM (task1) # set scheduler 1

// comes from datasource

FortiADC-VM (task1) # profile test

// uses previously created profile

FortiADC-VM (task1) # get

scheduler : 1

profile : test

 

next

end

 

// last step: waf scanner

FortiADC-VM (root) # execute web-vulnerability-scan start

Usage: start/stop <taskname>

Command fail. Return code is -61 (Input is not as expected)

 

// need to name the task created earlier, 'task1'

FortiADC-VM (root) # execute web-vulnerability-scan start task1

FortiADC-VM (root) # get security scan-report

ID:0 Taskname:task1 Created Time:15:41:16,10-30-18

 

// example for advanced login

 

config security web-vulnerability-scanner target-login-option

edit "advanced"

set type advanced

set username username

set password password

set auth-url http://www.example.com

unset auth-target-url

unset verify-url

set username-field userfi

set password-field passfi

unset extend_parameter

next

end