Fortinet black logo

Administration Guide

Solutions for specific web attacks

Solutions for specific web attacks

The types of attacks that web servers are vulnerable to are varied, and evolve as attackers try new strategies.

FortiWeb offers numerous configurable features for preventing web-related attacks, including denial-of-service (DoS) assaults, brute-force logins, data theft, cross-site scripting attacks, among many more.

Early in your deployment of FortiWeb, configure and run web vulnerability scans to detect the most common attack vulnerabilities. You can use this to discover attacks to which you may be vulnerable. For details, see Vulnerability scans.

HTTP/HTTPS threats

Servers are increasingly being targeted by exploits at the application layer or higher. These attacks use HTTP/HTTPS and may aim to compromise the target web server to steal information, deface it, post malicious files on a trusted site to further exploit visitors to the site, or use the web server to create botnets.

Among its many threat management features, FortiWeb fends off attacks that use cross-site scripting, state-based intrusion, and various injection attacks. This helps you comply with protection standards for:

  • Credit-card data, such as PCI DSS 6.6
  • Personally identifiable information, such as HIPAA

FortiWeb can also protect against threats at higher layers (HTML, Flash or XML applications). The below table lists several HTTP-related threats and describes how FortiWeb protects servers from them.

Attack Technique Description Protection FortiWeb Solution
Adobe Flash binary (AMF) protocol attacks Attackers attempt XSS, SQL injection or other common exploits through an Adobe Flash client. Decode and scan Flash action message format (AMF) binary data for matches with attack signatures. Enable AMF3 Protocol Detection
Botnet Utilizes zombies previously exploited or infected (or willingly participating), distributed usually globally, to simultaneously overwhelm the target when directed by the command and control server(s). Use the FortiGuard IP Reputation Service to gather up-to-date threat intelligence on botnets and block attacks. IP Reputation
Brute force login attack An attacker attempts to gain authorization by repeatedly trying ID and password combinations until one works. Require strong passwords for users, and throttle login attempts. Custom Policy
Clickjacking Code such as <IFRAME> HTML tags superimposes buttons or other DOM/inputs of the attacker’s choice over a normal form, causing the victim to unwittingly provide data such as bank or login credentials to the attacker’s server instead of the legitimate web server when the victim clicks to submit the form. Scan for illegal inputs to prevent the initial injection, then apply rewrites to scrub any web pages that have already been affected.
Cookie tampering Attackers alter cookies originally established by the server to inject overflows, shell code, and other attacks, or to commit identity fraud, hijacking the HTTP sessions of other clients. Validate cookies returned by the client to ensure that they have not been altered from the previous response from the web server for that HTTP session.
Cross-site request forgery (CSRF) A script causes a browser to access a website on which the browser has already been authenticated, giving a third party access to a user’s session on that site. Classic examples include hijacking other peoples’ sessions at coffee shops or Internet cafés. Specify web pages that FortiWeb protects from CSRF attacks using a special token.

Enforce web application business logic to prevent access to URLs from the same IP but different client.
Cross-site scripting (XSS) Attackers cause a browser to execute a client-side script, allowing them to bypass security. Content filtering, cookie security, disable client-side scripts. Cross Site Scripting
Denial of service (DoS) An attacker uses one or more techniques to flood a host with HTTP requests, TCP connections, and/or TCP SYN signals. These use up available sockets and consume resources on the server, and can lead to a temporary but complete loss of service for legitimate users. Watch for a multitude of TCP and HTTP requests arriving in a short time frame, especially from a single source, and close suspicious connections. Detect increased SYN signals, close half-open connections before resources are exhausted. DoS Protection Policy
HTTP header overflow Attackers use specially crafted HTTP/HTTPS requests to target web server vulnerabilities (such as a buffer overflow) to execute malicious code, escalating to administrator privileges. Limit the length of HTTP protocol header fields, bodies, and parameters. HTTP Protocol Constraints
Local file inclusion (LFI) LFI is a type of injection attack. However, unlike SQL injection attacks, a database is not always involved. In an LFI, a client includes directory traversal commands (such as ../../for web servers on Linux, Apple Mac OS X, or Unix distributions) when submitting input. This causes vulnerable web servers to use one of the computer’s own files (or a file previously installed via another attack mechanism) to either execute it or be included in its own web pages.

This could be used for many purposes, including direct attacks of other servers, installation of malware, and data theft of /etc/passwd, display of database query caches, creation of administrator accounts, and use of any other files on the server’s file system.

Many platforms have been vulnerable to these types of attacks, including Microsoft .NET and Joomla.
Block directory traversal commands. Generic Attacks
Man-in-the-middle (MITM) A device located on the same broadcast network or between the client and server observes unencrypted traffic between them. This is often a precursor to other attacks such as session hijacking. Redirect clients from HTTP to secure HTTPS, then encrypt all traffic and prevent subsequent accidental insecure access.
Remote file inclusion (RFI) RFI is a type of injection attack. However, unlike SQL injection attacks, a database is not always involved. In an RFI, a client includes a URL to a file on a remote host, such as source code or scripts, when submitting input. This causes vulnerable web servers to either execute it or include it in its own web pages.

If code is executed, this could be used for many purposes, including direct attacks of other servers, installation of malware, and data theft.

If code is included into the local file system, this could be used to cause other, unsuspecting clients who use those web pages to commit distributed XSS attacks.

Famously, this was used in organized attacks by Lulzsec. Attacks often involve PHP web applications, but can be written for others.
Prevent inclusion of references to files on other web servers. Generic Attacks
Server information leakage A web server reveals details (such as its OS, server software and installed modules) in responses or error messages. An attacker can leverage this fingerprint to craft exploits for a specific system or configuration. Configure server software to minimize information leakage.
SQL injection The web application inadvertently accepts SQL queries as input. These are executed directly against the database for unauthorized disclosure and modification of data. Rely on key word searches, restrictive context-sensitive filtering and data sanitization techniques.

DoS attacks

A denial of service (DoS) attack or distributed denial-of-service attack (DDoS attack) is an attempt to overwhelm a web server/site, making its resources unavailable to its intended users. DoS assaults involve opening vast numbers of sessions/connections at various OSI layers and keeping them open as long as possible to overwhelm a server by consuming its available sockets. Most DoS attacks use automated tools (not browsers) on one or more hosts to generate the harmful flood of requests to a web server.

A DoS assault on its own is not true penetration. It is designed to silence its target, not for theft. It is censorship, not robbery. In any event, a successful DoS attack can be costly to a company in lost sales and a tarnished reputation. DoS can also be used as a diversion tactic while a true exploit is being perpetrated.

The advanced DoS prevention features of FortiWeb are designed to prevent DoS techniques, such as those examples listed in Solutions for specific web attacks, from succeeding. For best results, consider creating a DoS protection policy that includes all of FortiWeb’s DoS defense mechanisms, and block traffic that appears to originate from another country, but could actually be anonymized by VPN or Tor. For details about policy creation, see DoS prevention and "blocklisting source IPs with poor reputation" on page 1.

Attack Technique Description FortiWeb Solution
Botnet Utilizes zombies previously exploited or infected (or willingly participating), distributed usually globally, to simultaneously overwhelm the target when directed by the command and control server(s). Well-known examples include LOIC, HOIC, and Zeus. IP Reputation
Low-rate DoS Exploits TCP’s retransmission time-out (RTO) by sending short-duration, high-volume bursts repeated periodically at slower RTO time-scales. This causes a TCP flow to repeatedly enter a RTO state and significantly reduces TCP throughput.
Slow POST attack Sends multiple HTTP POST requests with a legitimate Content-Length: field. This tells the web server how much data to expect. Each POST message body is then transmitted at an unusually slow speed to keep the connection from timing out, and thereby consuming sockets.
Slowloris Slowly but steadily consumes all available sockets by sending partial HTTP requests sent at regular intervals. Each HTTP header is never finished by a new line (/r/n) according to the specification, and therefore the server waits for the client to finish, keeping its socket open. This slowly consumes all sockets on a web server without a noticeable spike on new TCP/IP connections or bandwidth.

Not all web servers are vulnerable, and susceptibility can vary by configuration. Default Apache configurations may be more vulnerable than a server like nginx that is designed for high concurrency.
SYN flood Sends a stream of TCP SYN packets. The target server acknowledges each SYN and waits for a response (ACK). Rather than respond, the attacker sends more SYN packets, leaving each connection half-open, not fully formed, so that it may not register on systems that only monitor fully formed connections. Since each half-formed connection requires RAM to remember this state while awaiting buildup/tear-down, many SYN signals eventually consume available RAM or sockets. Syn Cookie

Solutions for specific web attacks

The types of attacks that web servers are vulnerable to are varied, and evolve as attackers try new strategies.

FortiWeb offers numerous configurable features for preventing web-related attacks, including denial-of-service (DoS) assaults, brute-force logins, data theft, cross-site scripting attacks, among many more.

Early in your deployment of FortiWeb, configure and run web vulnerability scans to detect the most common attack vulnerabilities. You can use this to discover attacks to which you may be vulnerable. For details, see Vulnerability scans.

HTTP/HTTPS threats

Servers are increasingly being targeted by exploits at the application layer or higher. These attacks use HTTP/HTTPS and may aim to compromise the target web server to steal information, deface it, post malicious files on a trusted site to further exploit visitors to the site, or use the web server to create botnets.

Among its many threat management features, FortiWeb fends off attacks that use cross-site scripting, state-based intrusion, and various injection attacks. This helps you comply with protection standards for:

  • Credit-card data, such as PCI DSS 6.6
  • Personally identifiable information, such as HIPAA

FortiWeb can also protect against threats at higher layers (HTML, Flash or XML applications). The below table lists several HTTP-related threats and describes how FortiWeb protects servers from them.

Attack Technique Description Protection FortiWeb Solution
Adobe Flash binary (AMF) protocol attacks Attackers attempt XSS, SQL injection or other common exploits through an Adobe Flash client. Decode and scan Flash action message format (AMF) binary data for matches with attack signatures. Enable AMF3 Protocol Detection
Botnet Utilizes zombies previously exploited or infected (or willingly participating), distributed usually globally, to simultaneously overwhelm the target when directed by the command and control server(s). Use the FortiGuard IP Reputation Service to gather up-to-date threat intelligence on botnets and block attacks. IP Reputation
Brute force login attack An attacker attempts to gain authorization by repeatedly trying ID and password combinations until one works. Require strong passwords for users, and throttle login attempts. Custom Policy
Clickjacking Code such as <IFRAME> HTML tags superimposes buttons or other DOM/inputs of the attacker’s choice over a normal form, causing the victim to unwittingly provide data such as bank or login credentials to the attacker’s server instead of the legitimate web server when the victim clicks to submit the form. Scan for illegal inputs to prevent the initial injection, then apply rewrites to scrub any web pages that have already been affected.
Cookie tampering Attackers alter cookies originally established by the server to inject overflows, shell code, and other attacks, or to commit identity fraud, hijacking the HTTP sessions of other clients. Validate cookies returned by the client to ensure that they have not been altered from the previous response from the web server for that HTTP session.
Cross-site request forgery (CSRF) A script causes a browser to access a website on which the browser has already been authenticated, giving a third party access to a user’s session on that site. Classic examples include hijacking other peoples’ sessions at coffee shops or Internet cafés. Specify web pages that FortiWeb protects from CSRF attacks using a special token.

Enforce web application business logic to prevent access to URLs from the same IP but different client.
Cross-site scripting (XSS) Attackers cause a browser to execute a client-side script, allowing them to bypass security. Content filtering, cookie security, disable client-side scripts. Cross Site Scripting
Denial of service (DoS) An attacker uses one or more techniques to flood a host with HTTP requests, TCP connections, and/or TCP SYN signals. These use up available sockets and consume resources on the server, and can lead to a temporary but complete loss of service for legitimate users. Watch for a multitude of TCP and HTTP requests arriving in a short time frame, especially from a single source, and close suspicious connections. Detect increased SYN signals, close half-open connections before resources are exhausted. DoS Protection Policy
HTTP header overflow Attackers use specially crafted HTTP/HTTPS requests to target web server vulnerabilities (such as a buffer overflow) to execute malicious code, escalating to administrator privileges. Limit the length of HTTP protocol header fields, bodies, and parameters. HTTP Protocol Constraints
Local file inclusion (LFI) LFI is a type of injection attack. However, unlike SQL injection attacks, a database is not always involved. In an LFI, a client includes directory traversal commands (such as ../../for web servers on Linux, Apple Mac OS X, or Unix distributions) when submitting input. This causes vulnerable web servers to use one of the computer’s own files (or a file previously installed via another attack mechanism) to either execute it or be included in its own web pages.

This could be used for many purposes, including direct attacks of other servers, installation of malware, and data theft of /etc/passwd, display of database query caches, creation of administrator accounts, and use of any other files on the server’s file system.

Many platforms have been vulnerable to these types of attacks, including Microsoft .NET and Joomla.
Block directory traversal commands. Generic Attacks
Man-in-the-middle (MITM) A device located on the same broadcast network or between the client and server observes unencrypted traffic between them. This is often a precursor to other attacks such as session hijacking. Redirect clients from HTTP to secure HTTPS, then encrypt all traffic and prevent subsequent accidental insecure access.
Remote file inclusion (RFI) RFI is a type of injection attack. However, unlike SQL injection attacks, a database is not always involved. In an RFI, a client includes a URL to a file on a remote host, such as source code or scripts, when submitting input. This causes vulnerable web servers to either execute it or include it in its own web pages.

If code is executed, this could be used for many purposes, including direct attacks of other servers, installation of malware, and data theft.

If code is included into the local file system, this could be used to cause other, unsuspecting clients who use those web pages to commit distributed XSS attacks.

Famously, this was used in organized attacks by Lulzsec. Attacks often involve PHP web applications, but can be written for others.
Prevent inclusion of references to files on other web servers. Generic Attacks
Server information leakage A web server reveals details (such as its OS, server software and installed modules) in responses or error messages. An attacker can leverage this fingerprint to craft exploits for a specific system or configuration. Configure server software to minimize information leakage.
SQL injection The web application inadvertently accepts SQL queries as input. These are executed directly against the database for unauthorized disclosure and modification of data. Rely on key word searches, restrictive context-sensitive filtering and data sanitization techniques.

DoS attacks

A denial of service (DoS) attack or distributed denial-of-service attack (DDoS attack) is an attempt to overwhelm a web server/site, making its resources unavailable to its intended users. DoS assaults involve opening vast numbers of sessions/connections at various OSI layers and keeping them open as long as possible to overwhelm a server by consuming its available sockets. Most DoS attacks use automated tools (not browsers) on one or more hosts to generate the harmful flood of requests to a web server.

A DoS assault on its own is not true penetration. It is designed to silence its target, not for theft. It is censorship, not robbery. In any event, a successful DoS attack can be costly to a company in lost sales and a tarnished reputation. DoS can also be used as a diversion tactic while a true exploit is being perpetrated.

The advanced DoS prevention features of FortiWeb are designed to prevent DoS techniques, such as those examples listed in Solutions for specific web attacks, from succeeding. For best results, consider creating a DoS protection policy that includes all of FortiWeb’s DoS defense mechanisms, and block traffic that appears to originate from another country, but could actually be anonymized by VPN or Tor. For details about policy creation, see DoS prevention and "blocklisting source IPs with poor reputation" on page 1.

Attack Technique Description FortiWeb Solution
Botnet Utilizes zombies previously exploited or infected (or willingly participating), distributed usually globally, to simultaneously overwhelm the target when directed by the command and control server(s). Well-known examples include LOIC, HOIC, and Zeus. IP Reputation
Low-rate DoS Exploits TCP’s retransmission time-out (RTO) by sending short-duration, high-volume bursts repeated periodically at slower RTO time-scales. This causes a TCP flow to repeatedly enter a RTO state and significantly reduces TCP throughput.
Slow POST attack Sends multiple HTTP POST requests with a legitimate Content-Length: field. This tells the web server how much data to expect. Each POST message body is then transmitted at an unusually slow speed to keep the connection from timing out, and thereby consuming sockets.
Slowloris Slowly but steadily consumes all available sockets by sending partial HTTP requests sent at regular intervals. Each HTTP header is never finished by a new line (/r/n) according to the specification, and therefore the server waits for the client to finish, keeping its socket open. This slowly consumes all sockets on a web server without a noticeable spike on new TCP/IP connections or bandwidth.

Not all web servers are vulnerable, and susceptibility can vary by configuration. Default Apache configurations may be more vulnerable than a server like nginx that is designed for high concurrency.
SYN flood Sends a stream of TCP SYN packets. The target server acknowledges each SYN and waits for a response (ACK). Rather than respond, the attacker sends more SYN packets, leaving each connection half-open, not fully formed, so that it may not register on systems that only monitor fully formed connections. Since each half-formed connection requires RAM to remember this state while awaiting buildup/tear-down, many SYN signals eventually consume available RAM or sockets. Syn Cookie