Fortinet black logo

User Guide

Home FortiDAST 23.1.0 User Guide
23.1.0
24.1.0
23.4.0
23.3.a
23.3.0
23.2.0
23.1.a
23.1.0

What is FortiDAST

What is FortiDAST

FortiDAST is a cloud enabled service that performs web application vulnerability testing through an intensive process of comprehensive and criteria based automated scanning and analysis. It adopts an organised technical approach of assessing your web applications running in an HTTP/HTTPS environment, to identify loopholes and vulnerabilities. Penetration testing (pen-testing) is the process to explore and exploit security vulnerabilities in an application using various malicious techniques to discover security gaps; securing your network and assisting in suitable remediation steps for the identified susceptibilities.

The goal of FortiDAST is to provide an easy-to-understand and non-intrusive evaluation of the security posture of your web applications. The outcome is an accurate and detailed vulnerability assessment report with a high vulnerability detection rate that facilitates appropriate measures for remediation and further network penetration testing.

This diagram lays down the building blocks of the FortiDAST vulnerability assessment and penetration testing service.

FortiDAST uses web Crawler and Fuzzer techniques to detect and scan your web applications for vulnerability assessment. The Common Vulnerability Scoring System (CVSS), Exploit Prediction Scoring System (EPSS), and Open Web Application Security Project (OWASP) Top 10 are employed to assess the severity of vulnerabilities and identify security risks to web applications. The vulnerability assessment result is presented in a comprehensive dashboard and customized, downloadable reports with graphical representation and visualization of statistics.

Note: FortiDAST supports scanning both external (public) and internal (private) assets.

The following are some of the key features of FortiDAST.

  • The web application scanning is comprehensive and provides accurate vulnerability assessment for a complete view of security risks.
  • The automated scanning process allows you to simply and swiftly evaluate all of your web applications, reducing manual intervention.
  • The scanning process is completely non-intrusive to prevent inactivity and disruptions; you can include additional headers to be included in the scan.
  • A comprehensive dashboard as a combination of interactive chart and list based statistics. The dashboard provides detailed insight into the scanned web applications.
  • Support for automatic upload of scan reports to WAF (FortiWeb) and rules generation.
  • You can integrate FortiDAST plugin with Jenkins and with GitLab for Continuous Integration/Continuous Deployment to trigger automated vulnerability assessment scans.

Note: The term asset used henceforth in this document implies the web site that you are scanning.

FortiDAST implements/uses the following modules for vulnerability assessment.

Crawler Module

The web Crawler systematically crawls the web server asset to locate paths that are inputs to the fuzzer modules. It uses the quick and full scan modes. These modes are configurable, see Configuring the Scanner. A quick scan is fast mode scanning that provides vulnerability assessment based on limited testing/scraping of the static pages of your asset. These pages are scraped by searching and extracting URLs from HTML tags and attributes. For example, the following tag which defines a hyperlink with href attribute.

<a href=”http://example.com”>

A Full scan provides vulnerability assessment based on complete testing/scraping of the static and dynamic pages of your asset. The Crawler also performs browsing simulation such as clicking of buttons, links, and images to test the interaction between the dynamic pages and the browser. This mode of vulnerability assessment takes longer.

The Crawler also uses websocket endpoints to collect relevant information for the fuzzer modules to assess vulnerabilities.

Crawler Timeout

The Crawler times out after 5 hours, that is, it stops crawling your asset after 5 hours. If your asset is very large, you might obtain only partial scanning result.

Inconsistent Crawler Result

The following are some reasons that might cause inconsistent crawling results.

  • Dynamic contents: Forums and access logging.
  • Redirections: HTTP redirects to HTTPS and redirection to WWW.
  • Inconsistent response time: Presence of too much content affecting the response and loading time.
  • Intermediate third party security product: Web Application Firewall (WAF) blocking some requests.

Fuzzer Module

The FortiDAST also uses reconnaissance engine to provide server (host) and web service or application related information to the fuzzer modules to optimize and enhance vulnerability scanning.The Fuzzer modules scan the following to detect vulnerabilities.

  • URLs in your web server asset
  • Asynchronous requests for Server Side Request Forgery, Remote Code Execution, XSS (Cross site scripting), Path Traversal, File Inclusion, Server-Side Template Injection, XML external entity (XXE) injection, NoSQL, Open Redirect, SSTI, and LDAP.
  • Blind injection using the C2 server for XSS (Cross site scripting) and File Inclusion.
  • REST APIs for Server-Side Template Injection, Remote Code Execution, XSS (Cross site scripting), Path Traversal, File Inclusion,
  • JSON data and HTTP methods.
    • GET, PUT, and PATCH for SSRF, RCE, XSS, and NoSQL
    • POST and GET for Path Traversal
    • POST for SQL
    • File Inclusion for GET, POST, PUT, and PATCH
  • XML data format
    • RCE, File Inclusion, NoSQLi, XSS, SSRF for GET, POST, PUT, and PATCH
    • Path Traversal for GET
    • FuzzerType2 for POST

This table describes the various Fuzzer modules used for vulnerability scanning.

Vulnerability Category

Vulnerability Description & Fuzzer Modules

Injection

Remote Code Execution - Scans if the provided URL together with other scan parameters are vulnerable to exploits due to command injection faults.

Server-Side Template Injection - Scans if the web application uses server-side template and if injecting malicious payload into the template can be executed.

File inclusion – Scans if the provided URL is vulnerable to dynamic file inclusion which occurs when the target contains procedures that use user-supplied file path input without proper validation.

LDAP Injection - Scans if the web application is vulnerable to LDAP injection attacks that occur when the LDAP statements based on user input are modified using a local proxy.

NoSQL Injection - Scans if the web application is vulnerable to malicious queries aimed to modify/alter the NoSQL database when the application communicates directly with the database.

SQL Injection - Scans if the web application is vulnerable to malicious SQL queries through unsanitized user input exposing sensitive information.

XPATH Injection - Scans if the web application is vulnerable to malicious Xpath queries through unsanitized user input exposing sensitive information.

Code Injection - Scans if the web application is vulnerable to HTML, PHP, and classic ASP injection attacks.

XSS (Cross site scripting) - Scans for XSS vulnerabilities by sending executable scripts (payloads) in the form of specially crafted user inputs to a target URL. If the scripts end up being executed, the target is considered to be vulnerable.

Insecure file upload and manipulation via WebDAV - Scans resources and properties of a particular directory to know if it is possible to obtain a recursive directory listing of all the files and folders from the provided URL using WebDAV. WebDAV is disabled when not in use or directory browsing permissions are restricted.

Open Redirect – Scans if the provided URL accepts a user controlled input that specifies a link to an external site, and uses that link in a redirect.

Path Traversal - Scans if the files and directories can be accessed outside the web root folder on the target web server via a controlled web application variable.

ORM Injection - Object Relational Mapping injection is an attack using SQL injection against an ORM generated data access object model.

Expression Language (EL) / Object Graph Navigation Library (OGNL) Injection - Scans for blind injection and detects escalation of vulnerability to RCE.

Broken Access Control

Forced Browsing - Scans if the resources that are not referenced by the web application can be accessed leading to unauthorized information gathering.

Server Side Request Forgery - Scans if the HTTP requests coming from server-side applications can be controlled and redirected to a malicious web page. The C2 server is implemented to detect these vulnerabilities.

Indirect object referencing (IDOR) - Scans for any broken access control between two logged-in credentials.

Cryptographic Failures

SSL tests - Scans if the provided URL together with other scan parameters has a valid SSL/TLS-enabled version and if so, whether there is an automatic HTTP to HTTPS redirection when a user visits the HTTP version of the website.

Weak Ciphers - Scans for vulnerable cipher suites that do not provide sufficient security to web applications.

Security Misconfiguration

XML external entity (XXE) injection - Scans if the web application is vulnerable to XXE injections by validating and filtering the XML documents before processing.

Information Disclosure - Scans and identifies sensitive information such as passwords, phone numbers, email addresses, secret finders using regular expressions, and banner grabbing vulnerabilities. It extracts information on static and rendered HTML pages

CORS misconfiguration – Scans if the provided URL allows Cross-Origin Resource Sharing. CORS is a browser mechanism which enables controlled access to resources located outside of a given domain. Misconfiguration may allow attackers to perform cross-domain based attacks.

Security HTTP Headers - Scans if the HTTP response has specific headers to increase the security of your application.

Weak Password – Scans if the provided URL is subjected to authentication bypass using a dictionary bruteforce attack.

Suspicious Domains – Scans If the provided URL is referencing to domains which are either expired or not registered.

Excessive authentication attempts - Scans for improper restriction of excessive authentication attempts by brute forcing the login page by continuously sending random usernames and passwords.

Vulnerable and Outdated Components

Known vulnerability - Scans if the asset (provided URL together with other scan parameters) is using such components that are known to have vulnerabilities. For components with Common Platform Enumeration (CPE) values, this module also queries the National Vulnerability Database (NVD) to find all reported vulnerabilities for each component. Each vulnerability in NVD is associated with a unique Common Vulnerabilities and Exposure (CVE) ID.

Identification and authentication Failures

URL Session Token - Scans if the session tokens in the provided URL are vulnerable to leaks and uses secure methods to store session tokens.

Session Fixation - Scans if the value of the session cookie can be overwritten with an existent session ID. It ensures that a new session cookie is generated upon authentication.

Migitation against bruteforce attacks - Scans for any protection mechanism against brute force attacks.

Lack of session invalidation upon logout and session timeout - Scans for insufficient inactivity session expiration (idle timeout of 15 minutes) and insufficient session invalidation on user logout (user logout function invalidates user session).

Software and Data Integrity Failures

Untrusted Data Deserialization - Scans for vulnerabilities related to deserialization of Untrusted PHP/Java data. Serialized objects are not accepted from untrusted sources.

Insecure Design

Unrestricted file upload - Scans for insufficient validation of the name, type, contents, or size and headers of uploaded files.

HTTP request smugling -Scans to detect HTTP request smuggling attack based on the known generic payloads.

Authentication Bypass -Scans for protection mechanism against malicious characters from user input.

Web Cache Poisoning - Scans for behavioral exploits of a web server and cache, to avoid serving a harmful HTTP response.

Attack Chaining Module

FortiDAST also uses the Attack Chaining Module (ACM) to perform deep scans combining a series of exploits from the initially discovered vulnerabilities, in case there is a possibility that more critical vulnerabilities are discovered, leading to a fully compromised asset. This release validates if the SSTI vulnerabilities identified in an asset can lead to RCE attacks.

Previous
Next

What is FortiDAST

FortiDAST is a cloud enabled service that performs web application vulnerability testing through an intensive process of comprehensive and criteria based automated scanning and analysis. It adopts an organised technical approach of assessing your web applications running in an HTTP/HTTPS environment, to identify loopholes and vulnerabilities. Penetration testing (pen-testing) is the process to explore and exploit security vulnerabilities in an application using various malicious techniques to discover security gaps; securing your network and assisting in suitable remediation steps for the identified susceptibilities.

The goal of FortiDAST is to provide an easy-to-understand and non-intrusive evaluation of the security posture of your web applications. The outcome is an accurate and detailed vulnerability assessment report with a high vulnerability detection rate that facilitates appropriate measures for remediation and further network penetration testing.

This diagram lays down the building blocks of the FortiDAST vulnerability assessment and penetration testing service.

FortiDAST uses web Crawler and Fuzzer techniques to detect and scan your web applications for vulnerability assessment. The Common Vulnerability Scoring System (CVSS), Exploit Prediction Scoring System (EPSS), and Open Web Application Security Project (OWASP) Top 10 are employed to assess the severity of vulnerabilities and identify security risks to web applications. The vulnerability assessment result is presented in a comprehensive dashboard and customized, downloadable reports with graphical representation and visualization of statistics.

Note: FortiDAST supports scanning both external (public) and internal (private) assets.

The following are some of the key features of FortiDAST.

  • The web application scanning is comprehensive and provides accurate vulnerability assessment for a complete view of security risks.
  • The automated scanning process allows you to simply and swiftly evaluate all of your web applications, reducing manual intervention.
  • The scanning process is completely non-intrusive to prevent inactivity and disruptions; you can include additional headers to be included in the scan.
  • A comprehensive dashboard as a combination of interactive chart and list based statistics. The dashboard provides detailed insight into the scanned web applications.
  • Support for automatic upload of scan reports to WAF (FortiWeb) and rules generation.
  • You can integrate FortiDAST plugin with Jenkins and with GitLab for Continuous Integration/Continuous Deployment to trigger automated vulnerability assessment scans.

Note: The term asset used henceforth in this document implies the web site that you are scanning.

FortiDAST implements/uses the following modules for vulnerability assessment.

Crawler Module

The web Crawler systematically crawls the web server asset to locate paths that are inputs to the fuzzer modules. It uses the quick and full scan modes. These modes are configurable, see Configuring the Scanner. A quick scan is fast mode scanning that provides vulnerability assessment based on limited testing/scraping of the static pages of your asset. These pages are scraped by searching and extracting URLs from HTML tags and attributes. For example, the following tag which defines a hyperlink with href attribute.

<a href=”http://example.com”>

A Full scan provides vulnerability assessment based on complete testing/scraping of the static and dynamic pages of your asset. The Crawler also performs browsing simulation such as clicking of buttons, links, and images to test the interaction between the dynamic pages and the browser. This mode of vulnerability assessment takes longer.

The Crawler also uses websocket endpoints to collect relevant information for the fuzzer modules to assess vulnerabilities.

Crawler Timeout

The Crawler times out after 5 hours, that is, it stops crawling your asset after 5 hours. If your asset is very large, you might obtain only partial scanning result.

Inconsistent Crawler Result

The following are some reasons that might cause inconsistent crawling results.

  • Dynamic contents: Forums and access logging.
  • Redirections: HTTP redirects to HTTPS and redirection to WWW.
  • Inconsistent response time: Presence of too much content affecting the response and loading time.
  • Intermediate third party security product: Web Application Firewall (WAF) blocking some requests.

Fuzzer Module

The FortiDAST also uses reconnaissance engine to provide server (host) and web service or application related information to the fuzzer modules to optimize and enhance vulnerability scanning.The Fuzzer modules scan the following to detect vulnerabilities.

  • URLs in your web server asset
  • Asynchronous requests for Server Side Request Forgery, Remote Code Execution, XSS (Cross site scripting), Path Traversal, File Inclusion, Server-Side Template Injection, XML external entity (XXE) injection, NoSQL, Open Redirect, SSTI, and LDAP.
  • Blind injection using the C2 server for XSS (Cross site scripting) and File Inclusion.
  • REST APIs for Server-Side Template Injection, Remote Code Execution, XSS (Cross site scripting), Path Traversal, File Inclusion,
  • JSON data and HTTP methods.
    • GET, PUT, and PATCH for SSRF, RCE, XSS, and NoSQL
    • POST and GET for Path Traversal
    • POST for SQL
    • File Inclusion for GET, POST, PUT, and PATCH
  • XML data format
    • RCE, File Inclusion, NoSQLi, XSS, SSRF for GET, POST, PUT, and PATCH
    • Path Traversal for GET
    • FuzzerType2 for POST

This table describes the various Fuzzer modules used for vulnerability scanning.

Vulnerability Category

Vulnerability Description & Fuzzer Modules

Injection

Remote Code Execution - Scans if the provided URL together with other scan parameters are vulnerable to exploits due to command injection faults.

Server-Side Template Injection - Scans if the web application uses server-side template and if injecting malicious payload into the template can be executed.

File inclusion – Scans if the provided URL is vulnerable to dynamic file inclusion which occurs when the target contains procedures that use user-supplied file path input without proper validation.

LDAP Injection - Scans if the web application is vulnerable to LDAP injection attacks that occur when the LDAP statements based on user input are modified using a local proxy.

NoSQL Injection - Scans if the web application is vulnerable to malicious queries aimed to modify/alter the NoSQL database when the application communicates directly with the database.

SQL Injection - Scans if the web application is vulnerable to malicious SQL queries through unsanitized user input exposing sensitive information.

XPATH Injection - Scans if the web application is vulnerable to malicious Xpath queries through unsanitized user input exposing sensitive information.

Code Injection - Scans if the web application is vulnerable to HTML, PHP, and classic ASP injection attacks.

XSS (Cross site scripting) - Scans for XSS vulnerabilities by sending executable scripts (payloads) in the form of specially crafted user inputs to a target URL. If the scripts end up being executed, the target is considered to be vulnerable.

Insecure file upload and manipulation via WebDAV - Scans resources and properties of a particular directory to know if it is possible to obtain a recursive directory listing of all the files and folders from the provided URL using WebDAV. WebDAV is disabled when not in use or directory browsing permissions are restricted.

Open Redirect – Scans if the provided URL accepts a user controlled input that specifies a link to an external site, and uses that link in a redirect.

Path Traversal - Scans if the files and directories can be accessed outside the web root folder on the target web server via a controlled web application variable.

ORM Injection - Object Relational Mapping injection is an attack using SQL injection against an ORM generated data access object model.

Expression Language (EL) / Object Graph Navigation Library (OGNL) Injection - Scans for blind injection and detects escalation of vulnerability to RCE.

Broken Access Control

Forced Browsing - Scans if the resources that are not referenced by the web application can be accessed leading to unauthorized information gathering.

Server Side Request Forgery - Scans if the HTTP requests coming from server-side applications can be controlled and redirected to a malicious web page. The C2 server is implemented to detect these vulnerabilities.

Indirect object referencing (IDOR) - Scans for any broken access control between two logged-in credentials.

Cryptographic Failures

SSL tests - Scans if the provided URL together with other scan parameters has a valid SSL/TLS-enabled version and if so, whether there is an automatic HTTP to HTTPS redirection when a user visits the HTTP version of the website.

Weak Ciphers - Scans for vulnerable cipher suites that do not provide sufficient security to web applications.

Security Misconfiguration

XML external entity (XXE) injection - Scans if the web application is vulnerable to XXE injections by validating and filtering the XML documents before processing.

Information Disclosure - Scans and identifies sensitive information such as passwords, phone numbers, email addresses, secret finders using regular expressions, and banner grabbing vulnerabilities. It extracts information on static and rendered HTML pages

CORS misconfiguration – Scans if the provided URL allows Cross-Origin Resource Sharing. CORS is a browser mechanism which enables controlled access to resources located outside of a given domain. Misconfiguration may allow attackers to perform cross-domain based attacks.

Security HTTP Headers - Scans if the HTTP response has specific headers to increase the security of your application.

Weak Password – Scans if the provided URL is subjected to authentication bypass using a dictionary bruteforce attack.

Suspicious Domains – Scans If the provided URL is referencing to domains which are either expired or not registered.

Excessive authentication attempts - Scans for improper restriction of excessive authentication attempts by brute forcing the login page by continuously sending random usernames and passwords.

Vulnerable and Outdated Components

Known vulnerability - Scans if the asset (provided URL together with other scan parameters) is using such components that are known to have vulnerabilities. For components with Common Platform Enumeration (CPE) values, this module also queries the National Vulnerability Database (NVD) to find all reported vulnerabilities for each component. Each vulnerability in NVD is associated with a unique Common Vulnerabilities and Exposure (CVE) ID.

Identification and authentication Failures

URL Session Token - Scans if the session tokens in the provided URL are vulnerable to leaks and uses secure methods to store session tokens.

Session Fixation - Scans if the value of the session cookie can be overwritten with an existent session ID. It ensures that a new session cookie is generated upon authentication.

Migitation against bruteforce attacks - Scans for any protection mechanism against brute force attacks.

Lack of session invalidation upon logout and session timeout - Scans for insufficient inactivity session expiration (idle timeout of 15 minutes) and insufficient session invalidation on user logout (user logout function invalidates user session).

Software and Data Integrity Failures

Untrusted Data Deserialization - Scans for vulnerabilities related to deserialization of Untrusted PHP/Java data. Serialized objects are not accepted from untrusted sources.

Insecure Design

Unrestricted file upload - Scans for insufficient validation of the name, type, contents, or size and headers of uploaded files.

HTTP request smugling -Scans to detect HTTP request smuggling attack based on the known generic payloads.

Authentication Bypass -Scans for protection mechanism against malicious characters from user input.

Web Cache Poisoning - Scans for behavioral exploits of a web server and cache, to avoid serving a harmful HTTP response.

Attack Chaining Module

FortiDAST also uses the Attack Chaining Module (ACM) to perform deep scans combining a series of exploits from the initially discovered vulnerabilities, in case there is a possibility that more critical vulnerabilities are discovered, leading to a fully compromised asset. This release validates if the SSTI vulnerabilities identified in an asset can lead to RCE attacks.

Previous
Next