Fortinet 510 FortiWeb 5.0 Patch 6 Administration Guide
Scan Enable detection of any of the following vulnerabilities that you
want to include in the scan report:
•Common Web Server Vulnerability (outdated software and
software with known memory leaks, buffer overflows, and other
problems)
• XSS (Cross-site Scripting)
•SQL Injection
• Source-code Disclosure
• OS Commanding
Scan Mode Select whether the scan job will use Basic Mode (use HTTP GET
only and omit both user-defined and predefined sensitive URLs) or
Enhanced Mode (use both HTTP POST and GET, excluding only
user-defined URLs).
Also configure Exclude scanning following URLs.
Basic Mode will avoid alterations to the web site’s databases, but
only if all inputs always uses POST requests. It also omits testing
of the following URLs, which could be sensitive:
•/formathd
• /formatdisk
•/shutdown
• /restart
•/reboot
•/reset
Caution: Fortinet strongly recommends that you do not scan for
vulnerabilities on live web sites, even if you use Basic Mode.
Instead, duplicate the web site and its database into a test
environment, and then use Enhanced Mode with that test
environment.
Basic Mode cannot be guaranteed to be non-destructive. Many
web sites accept input through HTTP GET requests, and so it is
possible that a vulnerability scan could result in database changes,
even though it does not use POST. In addition, Basic Mode cannot
test for vulnerabilities that are only discoverable through POST, and
therefore may not find all vulnerabilities.
Request
Timeout
Type the number of seconds for the vulnerability scanner to wait
for a response from the web site before it assumes that the request
will not successfully complete, and continues with the next request
in the scan. It will not retry requests that time out.
Delay Between
Each Request
Type the number of seconds to wait between each request.
Some web servers may rate limit the number of requests, or
blacklist clients that issue continuous requests and therefore
appear to be a web site harvester or denial of service (DoS)
attacker. Introducing a delay can be useful to prevent the
vulnerability scanner from being blacklisted or rate limited, and
therefore slow or unable to complete its scan.
Note: Increasing the delay will increase the time required to
complete the scan.
Setting name Description