Hacking Fortinet – WAF TEST (English version)

wafAmong the wide range of solutions to protect security, there are very specialized equipment according to purpose; One such equipment is called Web Application Firewall

According to OWASP is a Web application firewall or “WAF which is a device, server plugin, or filter a set of rules that applies to an HTTP conversation. In general, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules for its implementation, many attacks can be identified and blocked.

wafEvidently a WAF is not a UTM , the WAF it is a device or software that specifically focus on protecting applications or Web systems, it is necessary therefore that in the previous article where through testing against UTM most attacks on web applications, were not blocked by the team.

fortiwebThanks to Yishay Perry (www.fil.org.il) who specializes in Fortinet solutions and a colleague in the area of perimeter security, gave me the possibility to access the Fortinet WAF called  FortiWeb, where we implemented a scenario suitable to perform some tests of the security offensive and validate  if the team could block some of the attacks more representative on web applications.





Test 1 – Cross-site scripting  XSS

The detection of XSS attacks are most complicated to be detected by traditional UTM in this case we see how the WAF reacts to this vulnerability.

A. Without the WAF protects web application
Xss tested the following string: alert (document.cookie)
fortiwebsee that reflected XSS is complete
B. With the WAF protects web application
Retest the same test but now with the WAF protects web application
fortiwebsee that the WAF reacts and blocks the execution of reflected XSS
fortiwebAlso the WAF generates the event log.

Test 2 – File Inclusion

This is another vulnerability difficult to detect , let’s see how he reacts.

A. Without the WAF protects web application
We tested the following  path inclusion: /etc/passwd

fortiwebsee that the command completes and returns the contents of /etc/ passwd file in the web application

B. With the WAF protects web application
Retest the same test but now with the WAF protecting.

fortiwebWe also see that the WAF reacts and blocks the execution of XSS

fortiwebas in the previous test we see that the WAF generates the event log.

Test 3 – Website Defacement

The defacement or defaseo of pages is an attack fairly common these days, let’s see how the WAF reacts.

Scenario: In this case we managed to climb a webshell, upload through a form, then detected the file index.php is the main page of the website and are in the process of save our defacement in the file, as shown below:


A. Without the WAF protects web application
Without the WAF protecting , may save the file and complete the defacement as follows:


B. With the WAF protects web application
Retest trying to save the index.php file with the WAF protecting and it reacts like this:

fortiwebLikewise, the event is recorded as shown below:

fortiwebWAF prevents defacement.


  • Have a much more specialized equipment allows web attacks greatly reduce the chances that can exploit vulnerabilities in applications, such as the case of the FortiWeb
  • All tests were positive about the WAF, it is because, there has been specific configuration to protection for the application that is being defended, ie whatever the WAF solution is used, it is necessary to make custom settings on device . 
  • This guide is intended to show that for any equipment or solution to protect the security, it is highly recommended that offensive security testing to validate each of the security rules that the device offers are made. 
  • I can say that FortiWeb is a pretty good device that protects the assessed vulnerabilities.

In another article we will see how to implement a WAF some solutions based on existing free software.

Juan Oliva


Esta entrada fue publicada en Hacking, Linux, Manuales y tutoriales y etiquetada , , , , , por jroliva. Guarda enlace permanente.

Acerca de jroliva

Juan Oliva, es un consultor de seguridad informática y telefonía IP con 10 años de experiencia en el campo . Muy involucrado en proyectos de pruebas de penetración , análisis y explotación vulnerabilidades, pruebas de ingeniería social, seguridad física, revisión de código, entre otras tareas de seguridad informática. Así mismo, desarrolla proyectos de implementación y mantenimiento de VoIP, basadas en Asterisk y Elastix, proyectos de callcenter, soluciones en la nube y hosted PBX, Aseguramiento de plataformas Linux, Windows. Ha estado trabajando para una variedad de empresas en donde ha desarrollado proyectos para el estado peruano, así como para entidades privadas, nacionales y del extranjero, cuenta con certificaciones vigentes en Ethical hacking, Linux y telefonía IP. Es instructor de cursos de Ethical Hacking y certificaciónes como Linux Professional Institute y Elastix, donde ha tenido oportunidad de realizar capacitaciones en el Perú, así como en el extranjero. Es investigador de vulnerabilidades, y creador de contenidos, que son publicados en su blog personal jroliva.wordpress.com el cual mantiene desde hace mas de 6 años.


Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión /  Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión /  Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión /  Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión /  Cambiar )

Conectando a %s