Fortinet 26 FortiWeb 5.0 Patch 6 Administration Guide
Troj ans HTTP body
Bad Robot User-Agent:
Parameter Validation •Host:
• URL in the HTTP header
• Name, data type, and length of <input> tags except
<input type="hidden">
Cross Site Scripting, SQL
Injection, Generic Attacks
(attack signatures)
•Cookie:
•Parameters in the URL in the HTTP header, or in the
HTTP body (depending on the HTTP method) for
<input> tags except <input type="hidden">
• XML content in the HTTP body (if Enable XML Protocol
Detection is enabled)
Hidden Fields Protection •Host:
• URL in the HTTP header
• Name, data type, and length of
<input type="hidden">
X-Forwarded-For X-Forwarded-For: in HTTP header
URL Rewriting
(rewriting & red irects)
•Host:
•Referer:
•Location:
•URL in HTTP header
• HTTP body
Auto-learning Any of the other features included by the auto-learning
profile
Data Analytics • Source IP address of the client
• URL in the HTTP header
• Results from other scans
Client Certificate Forwarding Client’s personal certificate, if any, supplied during the
SSL/TLS handshake
Reply from server to client
Information Disclosure Server-identifying custom HTTP headers such as
Server: and X-Powered-By:
Credit Card Detection Credit card number in the body, and, if configured, Credit
Card Detection Threshold
File Uncompress Content-Encoding:
Tabl e 1 : Execution sequence (web protection profile)
Scan/action Involves