Fortinet 5.0 Patch 6 Example: Local file inclusion fingerprinting via Joomla

Fortinet 409 FortiWeb 5.0 Patch 6 Administration Guide

To form a single signature that can check for any of the 3 new attacks, the team joins those 3

regular expressions by using pipe ( | ) characters between them in Expression:

See also

•Defining custom data leak & attack signatures

•Example: Sanitizing poisoned HTML

Example: Local file inclusion fingerprinting via Joomla

Attackers sometimes scout for vulnerabilities in a target before actually executing an attack on it

or other, more challenging targets. To look for advance notice of specific attacks that your web

servers may soon experience, you might create a honeypot: this server would run the same

Setting name Value

Direction Signature creation

Expression <(.*)src(\s)*=(\s)*[‘’‘”](\s)*(.*)(\s)*[‘’‘”](\s)*onError

|<(.*)[‘’‘”][‘’‘”]*(.*)>(\s)*<script>

|<(\s)*[^(<script)](\s)*src(\s)*=(\s)*(http|https|ftp|\\\\|\/\/)(.*)\?

Action Alert & Deny

Severity High

Trigger Action notification-servers1

Attackers can try many techniques to evade detection by signatures. When writing custom

attack signatures for FortiWeb, or when sanitizing corrupted content via rewriting, consider that

smart attackers:

• instead of explicitly injecting JavaScript statements such as document.write();, inject

CSS or object HTML that either implicitly uses JavaScript or achieves the same purpose

(and therefore will not be caught by sanitizers rejecting JavaScript only syntax)

• use alternate encodings such as hexadecimal, Base64 or HTML entities instead of character

in the encoding specified in the web page’s charset

• follow or break up valid tags with ignored special characters, such as slashes, spaces, tabs,

bells, or carriage returns

• use characters that are functionally equivalent, such as single quotes ( ’ ) or back ticks ( ‘ )

instead of double quotes ( “” )

These may be functionally ignored or gracefully handled by a web browser or server’s parser,

but will allow the attack to slip by your signature if it is not carefully crafted

In the above example, the attacker uses the back tick ( ‘ ) used instead of quotes, avoids the

literal mention of javascript:, and does not match a regular expression that requires the

exact, unvaried HTML tag <script>. Your regular expression should be flexible enough to

account for these cases.

If content has already been corrupted by a successful attack, you can simultaneously sanitize

all server responses and notify the response team of specific corrupted URLs. This can help

your incident response team to quickly clean the impacted applications and databases. See

“Example: Sanitizing poisoned HTML” on page 380.