Fortinet black logo

Administration Guide

Vulnerability scans

Vulnerability scans

You can scan for known vulnerabilities on your web servers and web applications, which helps you design protection profiles that are an effective and efficient use of processing resources.

Vulnerability reports from a certified vendor can help you comply with regulations and certifications that require periodic vulnerability scans, such as Payment Card Industry Data Security Standard (PCI DSS).

Run vulnerability scans during initial FortiWeb deployment and any time you are staging a new version of your web applications. You may also be required by your compliance regime to provide reports on a periodic basis, such as quarterly. For details, see How to set up your FortiWeb.

Each vulnerability scan starts from an initial URL, authenticates if set up to do so, then scans for vulnerabilities in web pages that it crawls to from links on the initial page. After performing the scan, the FortiWeb appliance generates a report from the scan results.

To enable web vulnerability scan

Before you can begin configuring web vulnerability scan, you have to enable it first.

  1. Go to System > Config > Feature Visibility.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.
  2. Locate Security Features.
  3. Enable Web Vulnerability Scan.
  4. Click Apply.
To run a web vulnerability scan
  1. Optionally, configure email settings. Email settings included in vulnerability scan profiles cause FortiWeb to email scan reports. For details, see Configuring email settings.
  2. Prepare the staging or development web server for the scan. For details, see Preparing for the vulnerability scan.
  3. Create a scan schedule, unless you plan to execute the scan manually. The schedule defines the frequency the scan will be run. For details, see Scheduling web vulnerability scans.
  4. Create a scan profile. The profile defines which vulnerabilities to scan for. For details, see Configuring vulnerability scan profiles.
  5. Create a scan policy. The policy integrates a scan profile and schedule. For details, see Running vulnerability scans.
  6. Examine vulnerability scan report. The report provides details and analysis of the scan results. For details, see Viewing/downloading vulnerability scan reports.
See also

Preparing for the vulnerability scan

For best results, before running a vulnerability scan, you should prepare the network and target hosts for the vulnerability scan.

Live websites

Fortinet strongly recommends that you do not scan for vulnerabilities on live websites. Instead, duplicate the website and its database in a test environment such as a staging server and perform the scan in that environment. For details, see "Scan Mode" on page 1.

Network accessibility

You may need to configure each target host and any intermediary NAT or firewalls to allow the vulnerability scan to reach the target hosts.

Traffic load & scheduling

You should talk to the owners of target hosts to determine an appropriate time to run the vulnerability scan. You can even schedule in advance the time that the FortiWeb will begin the scan.

For example, you might schedule to avoid peak traffic hours, to restrict unrelated network access, and to ensure that the target hosts will not be powered off during the vulnerability scan.

To determine the current traffic load, see "HTTP Throughput Monitor widget" on page 1. For scheduling information, see Scheduling web vulnerability scans.

See also

Scheduling web vulnerability scans

Web Vulnerability Scan > Web Vulnerability Scan Schedule enables you to schedule vulnerability scan.

A vulnerability scan schedule defines when the scan will automatically begin, and whether the scan is a one-time or periodically recurring event.

To configure a vulnerability scan schedule
  1. Go to Web Vulnerability Scan > Web Vulnerability Scan Schedule.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions

  3. Click Create New.
  4. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Type

    Select the type of schedule:

    • One Time—Run the vulnerability scan once.
    • Recurring—Run the vulnerability scan periodically.
    TimeSelect the time of day to run the scan.
    Date

    If One Time type is selected, select the date to run the scan.

    This setting is available only if Type (page 1) is One Time.

    Day

    If the Recurring type is selected, select the days of the week to run the scan.

    This setting is available only if Type (page 1) is Recurring.

  5. Click OK.
  6. To use the profile, select it in a web vulnerability scan policy. For details, see Running vulnerability scans.
See also

Configuring vulnerability scan profiles

Web Vulnerability Scan > Scan Profile enables you to configure vulnerability scan profiles as well as scan templates.

A vulnerability scan profile defines a web server that you want to scan, as well as the specific vulnerabilities to scan for. Vulnerability scan profiles are used by vulnerability scan policies, which determine when to perform the scan and how to publish the results of the scan defined by the profile.

Four default scan templates are available with different levels. Also, you can create the scan template.

To configure a vulnerability scan profile
  1. If FortiWeb must authenticate in order to reach all URLs that will be involved in the vulnerability scan, configure the web application (if it provides form-based authentication) with an account that FortiWeb can use to log in.
    For best results, the account should have permissions to all functionality used by the website. If URLs and inputs vary by account type, you may need to create multiple accounts—one for each non-overlapping set—and run separate vulnerability scans for each account.
  2. Go to Web Vulnerability Scan > Scan Profile.
  3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions

  4. Click Create New.
  5. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Scan TargetEnter the URL that you want to scan, such as www.mytestwvs.com.
    Scan TemplateSelect an existing scan template that you want to use in the profile.
  6. Click OK to start the scan.
  7. Optionally, configure settings in Advanced Options below.
    General Request Timeout Type the number of seconds for the vulnerability scanner to wait for a response from the website before it assumes that the request will not successfully complete, and continues with the next request in the scan. It will not retry timeout requests.
    Cookie Jar File Designate a cookie jar file. The cookie jar file must be in mozilla format.

    Ignore Session CookiesIf enabled, the scanner will ignore all session cookies sent by the target web application.
    Custom Headers

    You can define the host, user agent, and other common headers in the request.

    Take DVWA for example, if it fails to pass the basic authentication or form authentication, cookie authentication is required. Follow steps below:

    1. Log into DVWA via a browser.
    2. Copy the cookie and configure it to Custom Headers.
    3. Connect to FortiWeb.
    4. Run the following commands

      config wvs profile

      edit “wvs”

      set ignore-regex .*logout.php.*

      next

      end

    Crawl

    Sub Path Limit per URL The maximum number of requests for sub path of each URL.
    Max Scan Time The maximum scanning time.
    Max Crawl TimeThe maximum crawling time (minutes).
    Max Params Limit per URL The maximum number of requests for each URL, and parameter set.
    Max File SizeIndicate the maximum file size (in bytes) that the scanner will retrieve from the remote server.
    Max HTTP RetriesIndicate the maximum number of retries when requesting an URL. The valid value range is 1–10.
    Authentication

    HTTP Basic AuthenticationUser Enter the username of the web application.
    Password Enter the password for the username.
    Form Based Authentication

    Authenticate URL Enter the target URL for security auditing, and the URL shall include HTTP or HTTPs tag.
    Username Field The username parameter name, for example, "uname" if the HTML looks like <input type="text" name="uname">...
    Password FieldThe password parameter name, for example, "pwd" if the HTML looks like <input type="password" name="pwd">...
    Username Enter the username for using in the authentication process.
    Password Enter the password for the username.
    Data FormatAdd extra parameters here for authentication as required by some websites, for example, %u=%U&%p=%P&security_level-0&form-submit. The default value %u=%U&%p=%P includes the values for Username Field and Password Field.
    Session Check URL Enter the URL where the packets are sent to.
    Session Check String Enter the string in the response message. If the string can be checked, the authentication succeeds; otherwise, the authentication will be re-launched.
  8. Click OK.
  9. To use the profile, select it in a web vulnerability scan policy. For details, see Running vulnerability scans.
To configure a vulnerability scan template
  1. Go to Web Vulnerability Scan > Scan Template.
    As multiple vulnerability plugins are integrated, they are classified into different types. Here, four scan templates are introduced by default, which can not be edited or deleted. You can also define the template accordingly.
    Full AuditPerform a full audit of the target website, using only the webSpider plugin for discovery.
    Fast ScanPerform a fast scan of the target the site, using only a few discovery plugins and the fastest audit plugins.
    Brute ForceBruteforce form or basic authentication access controls using default credentials. Set the target URL to the resource where the access control is.
    OWASP Top 10As a worldwide free and open community focused on improving the security of application software, OWASP searches for and publishes the ten most common security flaws.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    PluginConfigure the plugins. Double click any of the five plugin categories, and select related plugins for each category.
  5. Click OK.
  6. To use the template, select it in a vulnerability scan profile. For details, see To configure a vulnerability scan profile.
See also

Running vulnerability scans

In order to run a vulnerability scan, you must create a vulnerability scan policy.

A vulnerability scan policy defines the scheduling type of scan (an immediate scan or a scheduled scan), the profile to use, the file format of the report, and recipients.

To configure a web vulnerability scan policy
  1. Go to Web Vulnerability Scan > Web Vulnerability Scan Policy.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions
  2. Click Create New.
  3. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Type

    Select the scheduling type, either:

    • Run Now—The scan can be manually started at any time by the user.
    • Schedule—The scan is performed according to the schedule defined in Schedule (page 1).
    Schedule

    Select the predefined schedule to use for the scan. For details, see Scheduling web vulnerability scans.

    This option appears only if the Type (page 1) is Schedule.

    ProfileSelect the profile to use when running the vulnerability scan. For details, see Configuring vulnerability scan profiles.
    Report Format

    Enable one or more file formats for the vulnerability scan report:

    • HTML
    • XML
    • PDF
    Email PolicySelect the email settings, if any, to use in order to send results of the vulnerability scan. For details, see Configuring email settings.
  4. Click OK.

    When the scan is complete, FortiWeb generates a report based on the scan results. For details, see Viewing/downloading vulnerability scan reports.

    Status
    • Starting
      If Type (page 1) is Run Now, the scan begins immediately; for around a second, the status is Starting.

      If Type (page 1) is Schedule, and it is just the scheduled time, the scan is to start soon, the status is Starting for around a second.
    • Stopped
      When the status is scanning, and you click , the status will become Stopped.

      If Type (page 1) is Schedule, and the scheduled time has not arrived, the status is Stopped.
    • Scanning
      After the scanner is activated for a while, the status will change from Starting to Scanning.

      The scanning time required varies by the network speed and traffic volume, load of the target hosts (especially the number of request timeouts), and your configuration in Advanced Options > Crawl of Scan Profile.
    • Done
      When the scanning associated with the policy is finished, the status becomes Done.
    ActionClick to stop the scanning.
    Click to re-start the scanning.
    Click to view the scan summary.
See also

Viewing/downloading vulnerability scan reports

After a web vulnerability scan is completed, the FortiWeb appliance generates a report summarizing and analyzing the results of the scan. If you have configured it to email the report to you when the scan is complete, you may receive the report in your inbox. You can also view and download the report through the web UI.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions

Go to Web Vulnerability Scan > Scan History, you can see the scan report list below.

The pane includes the following information:

Target Server Display the host name of the server that was scanned for vulnerabilities.

Click the target server name to view the scan summary associated with this server.
Request Count Display the total number of requests sent.
Requests per Minute Display the total number of requests per minute.
Scan Time Display the date and time that the scan was started.
End Time Display the date and time that the scan was done.
Total Alerts Found Display the total number of vulnerabilities discovered during the scan.

You can do the following:

Delete Check one or more reports, click Delete to delete such reports.
View Click to view a scan report.
Download Click to download a copy of a scan report.

The figure below shows the scan report details.

See also

Vulnerability scans

You can scan for known vulnerabilities on your web servers and web applications, which helps you design protection profiles that are an effective and efficient use of processing resources.

Vulnerability reports from a certified vendor can help you comply with regulations and certifications that require periodic vulnerability scans, such as Payment Card Industry Data Security Standard (PCI DSS).

Run vulnerability scans during initial FortiWeb deployment and any time you are staging a new version of your web applications. You may also be required by your compliance regime to provide reports on a periodic basis, such as quarterly. For details, see How to set up your FortiWeb.

Each vulnerability scan starts from an initial URL, authenticates if set up to do so, then scans for vulnerabilities in web pages that it crawls to from links on the initial page. After performing the scan, the FortiWeb appliance generates a report from the scan results.

To enable web vulnerability scan

Before you can begin configuring web vulnerability scan, you have to enable it first.

  1. Go to System > Config > Feature Visibility.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see "Permissions" on page 1.
  2. Locate Security Features.
  3. Enable Web Vulnerability Scan.
  4. Click Apply.
To run a web vulnerability scan
  1. Optionally, configure email settings. Email settings included in vulnerability scan profiles cause FortiWeb to email scan reports. For details, see Configuring email settings.
  2. Prepare the staging or development web server for the scan. For details, see Preparing for the vulnerability scan.
  3. Create a scan schedule, unless you plan to execute the scan manually. The schedule defines the frequency the scan will be run. For details, see Scheduling web vulnerability scans.
  4. Create a scan profile. The profile defines which vulnerabilities to scan for. For details, see Configuring vulnerability scan profiles.
  5. Create a scan policy. The policy integrates a scan profile and schedule. For details, see Running vulnerability scans.
  6. Examine vulnerability scan report. The report provides details and analysis of the scan results. For details, see Viewing/downloading vulnerability scan reports.
See also

Preparing for the vulnerability scan

For best results, before running a vulnerability scan, you should prepare the network and target hosts for the vulnerability scan.

Live websites

Fortinet strongly recommends that you do not scan for vulnerabilities on live websites. Instead, duplicate the website and its database in a test environment such as a staging server and perform the scan in that environment. For details, see "Scan Mode" on page 1.

Network accessibility

You may need to configure each target host and any intermediary NAT or firewalls to allow the vulnerability scan to reach the target hosts.

Traffic load & scheduling

You should talk to the owners of target hosts to determine an appropriate time to run the vulnerability scan. You can even schedule in advance the time that the FortiWeb will begin the scan.

For example, you might schedule to avoid peak traffic hours, to restrict unrelated network access, and to ensure that the target hosts will not be powered off during the vulnerability scan.

To determine the current traffic load, see "HTTP Throughput Monitor widget" on page 1. For scheduling information, see Scheduling web vulnerability scans.

See also

Scheduling web vulnerability scans

Web Vulnerability Scan > Web Vulnerability Scan Schedule enables you to schedule vulnerability scan.

A vulnerability scan schedule defines when the scan will automatically begin, and whether the scan is a one-time or periodically recurring event.

To configure a vulnerability scan schedule
  1. Go to Web Vulnerability Scan > Web Vulnerability Scan Schedule.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions

  3. Click Create New.
  4. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Type

    Select the type of schedule:

    • One Time—Run the vulnerability scan once.
    • Recurring—Run the vulnerability scan periodically.
    TimeSelect the time of day to run the scan.
    Date

    If One Time type is selected, select the date to run the scan.

    This setting is available only if Type (page 1) is One Time.

    Day

    If the Recurring type is selected, select the days of the week to run the scan.

    This setting is available only if Type (page 1) is Recurring.

  5. Click OK.
  6. To use the profile, select it in a web vulnerability scan policy. For details, see Running vulnerability scans.
See also

Configuring vulnerability scan profiles

Web Vulnerability Scan > Scan Profile enables you to configure vulnerability scan profiles as well as scan templates.

A vulnerability scan profile defines a web server that you want to scan, as well as the specific vulnerabilities to scan for. Vulnerability scan profiles are used by vulnerability scan policies, which determine when to perform the scan and how to publish the results of the scan defined by the profile.

Four default scan templates are available with different levels. Also, you can create the scan template.

To configure a vulnerability scan profile
  1. If FortiWeb must authenticate in order to reach all URLs that will be involved in the vulnerability scan, configure the web application (if it provides form-based authentication) with an account that FortiWeb can use to log in.
    For best results, the account should have permissions to all functionality used by the website. If URLs and inputs vary by account type, you may need to create multiple accounts—one for each non-overlapping set—and run separate vulnerability scans for each account.
  2. Go to Web Vulnerability Scan > Scan Profile.
  3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions

  4. Click Create New.
  5. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Scan TargetEnter the URL that you want to scan, such as www.mytestwvs.com.
    Scan TemplateSelect an existing scan template that you want to use in the profile.
  6. Click OK to start the scan.
  7. Optionally, configure settings in Advanced Options below.
    General Request Timeout Type the number of seconds for the vulnerability scanner to wait for a response from the website before it assumes that the request will not successfully complete, and continues with the next request in the scan. It will not retry timeout requests.
    Cookie Jar File Designate a cookie jar file. The cookie jar file must be in mozilla format.

    Ignore Session CookiesIf enabled, the scanner will ignore all session cookies sent by the target web application.
    Custom Headers

    You can define the host, user agent, and other common headers in the request.

    Take DVWA for example, if it fails to pass the basic authentication or form authentication, cookie authentication is required. Follow steps below:

    1. Log into DVWA via a browser.
    2. Copy the cookie and configure it to Custom Headers.
    3. Connect to FortiWeb.
    4. Run the following commands

      config wvs profile

      edit “wvs”

      set ignore-regex .*logout.php.*

      next

      end

    Crawl

    Sub Path Limit per URL The maximum number of requests for sub path of each URL.
    Max Scan Time The maximum scanning time.
    Max Crawl TimeThe maximum crawling time (minutes).
    Max Params Limit per URL The maximum number of requests for each URL, and parameter set.
    Max File SizeIndicate the maximum file size (in bytes) that the scanner will retrieve from the remote server.
    Max HTTP RetriesIndicate the maximum number of retries when requesting an URL. The valid value range is 1–10.
    Authentication

    HTTP Basic AuthenticationUser Enter the username of the web application.
    Password Enter the password for the username.
    Form Based Authentication

    Authenticate URL Enter the target URL for security auditing, and the URL shall include HTTP or HTTPs tag.
    Username Field The username parameter name, for example, "uname" if the HTML looks like <input type="text" name="uname">...
    Password FieldThe password parameter name, for example, "pwd" if the HTML looks like <input type="password" name="pwd">...
    Username Enter the username for using in the authentication process.
    Password Enter the password for the username.
    Data FormatAdd extra parameters here for authentication as required by some websites, for example, %u=%U&%p=%P&security_level-0&form-submit. The default value %u=%U&%p=%P includes the values for Username Field and Password Field.
    Session Check URL Enter the URL where the packets are sent to.
    Session Check String Enter the string in the response message. If the string can be checked, the authentication succeeds; otherwise, the authentication will be re-launched.
  8. Click OK.
  9. To use the profile, select it in a web vulnerability scan policy. For details, see Running vulnerability scans.
To configure a vulnerability scan template
  1. Go to Web Vulnerability Scan > Scan Template.
    As multiple vulnerability plugins are integrated, they are classified into different types. Here, four scan templates are introduced by default, which can not be edited or deleted. You can also define the template accordingly.
    Full AuditPerform a full audit of the target website, using only the webSpider plugin for discovery.
    Fast ScanPerform a fast scan of the target the site, using only a few discovery plugins and the fastest audit plugins.
    Brute ForceBruteforce form or basic authentication access controls using default credentials. Set the target URL to the resource where the access control is.
    OWASP Top 10As a worldwide free and open community focused on improving the security of application software, OWASP searches for and publishes the ten most common security flaws.
  2. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions.

  3. Click Create New.
  4. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    PluginConfigure the plugins. Double click any of the five plugin categories, and select related plugins for each category.
  5. Click OK.
  6. To use the template, select it in a vulnerability scan profile. For details, see To configure a vulnerability scan profile.
See also

Running vulnerability scans

In order to run a vulnerability scan, you must create a vulnerability scan policy.

A vulnerability scan policy defines the scheduling type of scan (an immediate scan or a scheduled scan), the profile to use, the file format of the report, and recipients.

To configure a web vulnerability scan policy
  1. Go to Web Vulnerability Scan > Web Vulnerability Scan Policy.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions
  2. Click Create New.
  3. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
    Type

    Select the scheduling type, either:

    • Run Now—The scan can be manually started at any time by the user.
    • Schedule—The scan is performed according to the schedule defined in Schedule (page 1).
    Schedule

    Select the predefined schedule to use for the scan. For details, see Scheduling web vulnerability scans.

    This option appears only if the Type (page 1) is Schedule.

    ProfileSelect the profile to use when running the vulnerability scan. For details, see Configuring vulnerability scan profiles.
    Report Format

    Enable one or more file formats for the vulnerability scan report:

    • HTML
    • XML
    • PDF
    Email PolicySelect the email settings, if any, to use in order to send results of the vulnerability scan. For details, see Configuring email settings.
  4. Click OK.

    When the scan is complete, FortiWeb generates a report based on the scan results. For details, see Viewing/downloading vulnerability scan reports.

    Status
    • Starting
      If Type (page 1) is Run Now, the scan begins immediately; for around a second, the status is Starting.

      If Type (page 1) is Schedule, and it is just the scheduled time, the scan is to start soon, the status is Starting for around a second.
    • Stopped
      When the status is scanning, and you click , the status will become Stopped.

      If Type (page 1) is Schedule, and the scheduled time has not arrived, the status is Stopped.
    • Scanning
      After the scanner is activated for a while, the status will change from Starting to Scanning.

      The scanning time required varies by the network speed and traffic volume, load of the target hosts (especially the number of request timeouts), and your configuration in Advanced Options > Crawl of Scan Profile.
    • Done
      When the scanning associated with the policy is finished, the status becomes Done.
    ActionClick to stop the scanning.
    Click to re-start the scanning.
    Click to view the scan summary.
See also

Viewing/downloading vulnerability scan reports

After a web vulnerability scan is completed, the FortiWeb appliance generates a report summarizing and analyzing the results of the scan. If you have configured it to email the report to you when the scan is complete, you may receive the report in your inbox. You can also view and download the report through the web UI.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Vulnerability Scan Configuration category. For details, see Permissions

Go to Web Vulnerability Scan > Scan History, you can see the scan report list below.

The pane includes the following information:

Target Server Display the host name of the server that was scanned for vulnerabilities.

Click the target server name to view the scan summary associated with this server.
Request Count Display the total number of requests sent.
Requests per Minute Display the total number of requests per minute.
Scan Time Display the date and time that the scan was started.
End Time Display the date and time that the scan was done.
Total Alerts Found Display the total number of vulnerabilities discovered during the scan.

You can do the following:

Delete Check one or more reports, click Delete to delete such reports.
View Click to view a scan report.
Download Click to download a copy of a scan report.

The figure below shows the scan report details.

See also