Juan Oliva

To follow me on Facebook and Twitter  know that I recently had a special curiosity in Fortinet, because is one of the security devices that have the greatest positioning in the region.

Another aspect is that in my projects pentest, when I said that the device was present protecting the servers, I never had trouble with block performing attacks.

Last week with my friend Alexis Torres  colleague area pentest and specialist on Fortinet solutions, making some offensive security testing to validate the security rules when the device protects a web application attacks

For testing use a properly configured Appliance FortiGate D60 ,

whether the team actually blocking attacks when protecting a Web application, the configuration perform to Alexis  (fortiner specialist solutions) the idea was to make rigorous testing.

The test consisted, one vulnerable web application as DVWA which was protected by a D60 Appliance Fortinet.

Developing Attacks:

As you know SQL vulnerabilities Inyection (SQLI) are the most common in web applications, this will be validated as they are in first place in the Owasp top 10.

Then with the vulnerable application (DVWA) first we perform very simple attacks SQLI

‘ union select 1 —

Surprise, the Fortinet detected pattern SQL, and blocked.

The rule that detected the attack was «http.uri.sql.injection» obviously does not say much about its inner workings and to be a well kept secret by the brand.

We do not give up and and develop more elaborate attacks with SQLMAP tool par excellence will develop SQLI.

However it was obvious, if the attack sqlmap sent without customization,   It would be easy prey for Fortinet.

Add some modifications to the attack:

speed:

–threads = 1, we adjusted the maximum number of applications 1
–delay = 60, delay in shipment of 60 seconds each sqli

obfuscation

–technique U, we specify the technique based on UNION QUERY
–batch obviate the entry of Y / N
–tamper, we specify the script type used as payload to obfuscate the strings sqli

sqlmap have a wide variety as in pharmacy:

space2hash.py
space2morehash.py
space2mssqlblank.py
space2mysqlblank.pycharencode.py
chardoubleencode.py
charunicodeencode.py

the syntax of the attack sent is :

python sqlmap.py –url=»http://192.168.19.253/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#» –cookie=»security=low; PHPSESSID=d0fa0f05f0b714c18b3ba3ebace3f450″ -v 3 –dbms «MySQL» –technique U -p id –batch –threads=1 –delay=60 –tamper «space2mysqldash.py»

After a long time, because as we indicated, we lower the speed of the attack, surprise surprise the device detected the attack and blocking for each existing payloads with sqlmap.

Well, obviously it was a good result for Alexis but not for me in my position attacker, but from the perspective of protection, it is good to know that the device does the job, although it is necessary to consider these factors:

1. Proper configuration
As I indicated developed tests with a specialist brand, but not only enabling or disabling rules or configurations, as most companies / implementers.

2. Regarding tests
From the perspective of pentester is not possible to assume a position that the device has the perfect security, about SQLI, considering that a Web application well known on issues of insecurity , but in this scenario was effective, should be more testing and other web scenarios to feel more satisfied.

In the future I hope to develop other security offensive tests as XSS , Session Hijacking, among others.