Support User Manuals

Fortinet 5.0 Patch 6 Microscope & Magnifier User Manual

Open as PDF

of 705

Fortinet 510 FortiWeb 5.0 Patch 6 Administration Guide

Scan Enable detection of any of the following vulnerabilities that you

want to include in the scan report:

• Common Web Server Vulnerability (outdated software and

software with known memory leaks, buffer overflows, and other

problems)

• XSS (Cross-site Scripting)

• SQL Injection

• Source-code Disclosure

• OS Commanding

Scan Mode Select whether the scan job will use Basic Mode (use HTTP GET

only and omit both user-defined and predefined sensitive URLs) or

Enhanced Mode (use both HTTP POST and GET, excluding only

user-defined URLs).

Also configure Exclude scanning following URLs.

Basic Mode will avoid alterations to the web site’s databases, but

only if all inputs always uses POST requests. It also omits testing

of the following URLs, which could be sensitive:

•/formathd

• /formatdisk

•/shutdown

• /restart

•/reboot

•/reset

Caution: Fortinet strongly recommends that you do not scan for

vulnerabilities on live web sites, even if you use Basic Mode.

Instead, duplicate the web site and its database into a test

environment, and then use Enhanced Mode with that test

environment.

Basic Mode cannot be guaranteed to be non-destructive. Many

web sites accept input through HTTP GET requests, and so it is

possible that a vulnerability scan could result in database changes,

even though it does not use POST. In addition, Basic Mode cannot

test for vulnerabilities that are only discoverable through POST, and

therefore may not find all vulnerabilities.

Request

Timeout

Type the number of seconds for the vulnerability scanner to wait

for a response from the web site before it assumes that the request

will not successfully complete, and continues with the next request

in the scan. It will not retry requests that time out.

Delay Between

Each Request

Type the number of seconds to wait between each request.

Some web servers may rate limit the number of requests, or

blacklist clients that issue continuous requests and therefore

appear to be a web site harvester or denial of service (DoS)

attacker. Introducing a delay can be useful to prevent the

vulnerability scanner from being blacklisted or rate limited, and

therefore slow or unable to complete its scan.

Note: Increasing the delay will increase the time required to

complete the scan.

Setting name Description

previous next