Fortinet 409 FortiWeb 5.0 Patch 6 Administration Guide
To form a single signature that can check for any of the 3 new attacks, the team joins those 3
regular expressions by using pipe ( | ) characters between them in Expression:
See also
Defining custom data leak & attack signatures
Example: Sanitizing poisoned HTML
Example: Local file inclusion fingerprinting via Joomla
Attackers sometimes scout for vulnerabilities in a target before actually executing an attack on it
or other, more challenging targets. To look for advance notice of specific attacks that your web
servers may soon experience, you might create a honeypot: this server would run the same
Setting name Value
Direction Signature creation
Expression <(.*)src(\s)*=(\s)*[‘’‘”](\s)*(.*)(\s)*[‘’‘”](\s)*onError
|<(.*)[‘’‘”][‘’‘”]*(.*)>(\s)*<script>
|<(\s)*[^(<script)](\s)*src(\s)*=(\s)*(http|https|ftp|\\\\|\/\/)(.*)\?
Action Alert & Deny
Severity High
Trigger Action notification-servers1
Attackers can try many techniques to evade detection by signatures. When writing custom
attack signatures for FortiWeb, or when sanitizing corrupted content via rewriting, consider that
smart attackers:
instead of explicitly injecting JavaScript statements such as document.write();, inject
CSS or object HTML that either implicitly uses JavaScript or achieves the same purpose
(and therefore will not be caught by sanitizers rejecting JavaScript only syntax)
use alternate encodings such as hexadecimal, Base64 or HTML entities instead of character
in the encoding specified in the web page’s charset
follow or break up valid tags with ignored special characters, such as slashes, spaces, tabs,
bells, or carriage returns
use characters that are functionally equivalent, such as single quotes ( ) or back ticks ( )
instead of double quotes ( “” )
These may be functionally ignored or gracefully handled by a web browser or server’s parser,
but will allow the attack to slip by your signature if it is not carefully crafted
In the above example, the attacker uses the back tick ( ) used instead of quotes, avoids the
literal mention of javascript:, and does not match a regular expression that requires the
exact, unvaried HTML tag <script>. Your regular expression should be flexible enough to
account for these cases.
If content has already been corrupted by a successful attack, you can simultaneously sanitize
all server responses and notify the response team of specific corrupted URLs. This can help
your incident response team to quickly clean the impacted applications and databases. See
“Example: Sanitizing poisoned HTML” on page 380.