Fortipentest - User Guide
Fortipentest - User Guide
Fortipentest - User Guide
Version 20.3
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
FEEDBACK
Email: techdoc@fortinet.com
Change log 4
Introduction 5
What is FortiPenTest 5
How FortiPenTest Works 9
User Interface Overview 10
Licensing 12
Signing-on for FortiPenTest 13
Registering on FortiCloud 13
Accessing FortiPenTest 14
Managing FortiPenTest 16
Asset Authorization 16
Configuring the Scanner 17
Vulnerability Scanning 19
Dashboard 19
Change log
Introduction
The vast growth of the World Wide Web or the internet led to an equally enormous spiral in network security
vulnerabilities which could potentially be exploited due to the immense advancement in hacking techniques
and cyber-attack methodologies. The almost global use of modern complex web applications makes them
easily prone to cyber- attacks and violations. These web applications contain multiple unassessed security risks
and vulnerabilities. In such a scenario, network security is of prime importance.
l What is FortiPenTest on page 5
l How FortiPenTest Works on page 9
l User Interface Overview on page 10
What is FortiPenTest
FortiPenTest is a cloud enabled service that performs vulnerability assessment and pentration testing through
an intensive process of comprehensive and criteria based automated scanning and analysis. It adopts an
organised technical approach of assessing your web applications running in an HTTP/HTTPS environment, to
identify loopholes and vulnerabilities. Penetration testing (pen-testing) is the process to explore and exploit
security vulnerabilities in an application using various malicious techniques to discover security gaps; securing
your network and assisting in suitable remediation steps for the identified susceptibilities.
The goal of FortiPenTest is to provide an easy-to-understand and non-intrusive evaluation of the security
posture of your web applications. The outcome is an accurate and detailed vulnerability assessment report with
a high vulnerability detection rate that facilitates appropriate measures for remediation and further network
penetration testing.
This diagram lays down the building blocks of the FortiPenTest vulnerability assessment and penetration
testing service.
FortiPenTest uses web Crawler and Fuzzer techniques to detect and scan your web applications for
vulnerability assessment. The Common Vulnerability Scoring System (CVSS) and Open Web Application
Security Project (OWSP) Top 6 are employed to assess the severity of vulnerabilities and identify security risks
to web applications. The vulnerability assessment result is presented in a comprehensive dashboard and
customized, downloadable reports with graphical representation and visualization of statistics.
A1 - Injection Injection faults, such as SQL, NoSQL, OS, and LDAP injection, happen when
untrusted or hostile data is sent to an interpreter as part of a command or query.
The interpreter executes this data through unintended commands or accessing
data without proper authorization. This can lead to data loss or a complete host
takeover.
Remote Code Execution - Scans if the provided URL together with other scan
parameters are vulnerable to exploits due to command injection faults.
Server-Side Template Injection - Scans if the web application uses server-side
template and if injecting malicious payload into the template can be executed.
File inclusion – Scans if the provided URL is vulnerable to dynamic file inclusion
which occurs when the target contains procedures that use user-supplied file path
input without proper validation.
A3 - Sensitive Data Web applications are vulnerable to sensitive data exposure, that is, revealing
Exposure information to parties that are not supposed to have access to it. This may lead to
data theft or modification of inadequately protected data.
This category anayzes in detail the global configuration settings impacting
security as identified in the A6 – Security Misconfiguration category.
A6 – Security Security misconfiguration is the most frequently observed flaw and is normally
Misconfiguration due to insecure default configurations, incomplete or ad hoc configurations, open
cloud storage, misconfigured HTTP headers, and verbose error messages
containing sensitive information. All operating systems, frameworks, libraries,
and applications must have secure configurations and should be timely
patched/upgraded. These vulnerabilities lead to unauthorized access to system
data/functionality or a complete system compromise.
A7 – Cross Site Web application is vulnerable to Cross-Site Scripting (XSS) when it contains
Scripting unsanitized data in a new web page or in an user-supplied data to an existing web
page using a browser API that can create HTML or JavaScript. The attackers can
execute scripts to exploit all three forms of XSS namely: Reflected, Stored, and
DOM, in your browser to hijack user sessions, deface web sites, or redirect you to
malicious sites.
A9 - Using Components Development components, such as libraries, frameworks, and other software
with Known modules, run with the same privileges as the application. When any vulnerability
Vulnerabilities in these components is exploited, it can lead to major data loss or server hijack.
Applications and APIs by employing components with known vulnerabilities tend
to weaken application defences and enable various attacks.
Known vulnerability - Scans if the asset (provided URL together with other scan
parameters) is using such components that are known to have vulnerabilities. For
components with Common Platform Enumeration (CPE) values, this module also
queries the National Vulnerability Database (NVD) to find all reported
vulnerabilities for each component. Each vulnerability in NVD is associated with a
unique Common Vulnerabilities and Exposure (CVE) ID.
A10 2013 – Unvalidated Web applications commonly redirect and forward you to other destination pages
Redirects and Forwards (websites and applications) using untrusted/invalidated data. In the absence of
validation, attackers can exploit and redirect you to phishing or malware sites, or
use forwards to access unauthorized pages.
Open Redirect – Scans if the provided URL accepts a user controlled input that
specifies a link to an external site, and uses that link in a redirect.
Note: The term asset used henceforth in this document implies the web site that you are scanning.
The FortiPenTest user interface with its distinctive organization provides ease of accessibility and navigation.
The interactive features allow you to scan your web applications effortlessly.
1. Register on the FortiCloud portal and access the FortiPenTest user interface. See Signing-on for
FortiPenTest on page 13.
2. Authorize your asset to perform vulnerability scanning. See Asset Authorization on page 16.
3. Scan the asset for vulnerability assessment. See Vulnerability Scanning on page 19
4. View the vulnerability scanning results. See Dashboard on page 19
The FortiPenTest solution provides an interactive and easy to use GUI which enables easy vulnerability
assessment. The GUI home page contains these sections.
Section Description
Inventory - This page allows you to add assets for vulnerability scanning. The
IP address/FQDN of web applications and the port are inputs on this page.
The authorization and scan status of the assets are also displayed on this
page.
Help icon - Clicking on this icon provides help information for using
FortiPenTest.
Licensing
FortiPenTest offers free (evaluation) and paid (licensed) subscriptions. For advanced FortiPenTest usage, you
must purchase a license.
Contact the Fortinet Customer Support team to acquire a license.
Valid for 60 days from the date of registration. Valid for 365 days from the date of registration.
Allows you to perform vulnerability scanning for 1 Allows you to perform vulnerability scanning for 10
asset. assets per license.
The following features are NOT available. All FortiPenTest features are available.
l Full scan for vulnerability assessment.
l Detailed report generation of the scan result.
Note: After the subscription expires, FortiPenTest vulnerability assessment operations (asset authorization and
scanning) are NOT available. You can ONLY view the scan result page and the reports.
This release provides single sign-on support for FortiPenTest along with FortiCloud suite of products.
FortiPenTest is accessible via the FortiCloud GUI - https://support.fortinet.com and https://fortipentest.com.
However, if you access https://fortipentest.com, you are redirected to the FortiCloud login page.
l Registering on FortiCloud on page 13
l Accessing FortiPenTest on page 14
Registering on FortiCloud
Prior to using FortiPenTest , you are required to register on the FortiCloud portal.
Use the https://support.fortinet.com access link to register on the FortiCloud portal. A security code is emailed
to the address specified during registration; use the code to complete registration and activate your account.
Accessing FortiPenTest
Any user registered on https://support.fortinet.com can access FortiPenTest. Once you login into FortiCloud,
click on your email ID, a banner with Fortinet products is displayed. Select FortiPenTest . You are redirected
to the FortiPenTest GUI, https://fortipentest.com.
The associated sub-users of a FortiCare master account can also login into FortiPenTest and select their
master account for access.
A sub-user can be part of multiple master accounts, the license available to use is based on the selected
master accoumt. (based on the availability limit).
When you login into FortiPenTest, your master account and accounts on which you are configured as a sub-
user are displayed; you are prompted to select one.
Managing FortiPenTest
Perform these procedures to perform vulnerability assessment and penetration testing on your web
applications.
l Asset Authorization on page 16
l Configuring the Scanner on page 17
l Vulnerability Scanning on page 19
l Dashboard on page 19
Asset Authorization
An asset must be successfully authorized to perform vulnerability scanning. The authorization process verifies
asset ownership.
1. Enter the IP address/FQDN and the Port of the asset in the Inventory page.
The maximum number of assets you can scan is displayed on the GUI as per your subscription. See
Licensing on page 12.
2. A unique asset token, UUID, is generated for each asset and is displayed on the page. Copy the UUID and
configure it in any of the following methods.
l Create a <UUID>.html file in the webroot of the asset's web server with no content. For example, a
UUID ded8024f-54c1-4bd2-8d82-9ad30bf3e35e is generated for your asset, create an empty file
named ded8024f-54c1-4bd2-8d82-9ad30bf3e35e.html.
l Create a forti-<UUID>.html file in the webroot of the asset's web server with <forti-uuid
hidden><UUID></forti-uuid> as the content. For example, a UUID ded8024f-54c1-4bd2-8d82-
9ad30bf3e35e is generated for your asset, create a file named forti-ded8024f-54c1-4bd2-8d82-
9ad30bf3e35e.html with <forti-uuid hidden>ded8024f-54c1-4bd2-8d82-9ad30b</forti-uuid> as
content.
#cat forti-uuid.html
<forti-uuid hidden>ded8024f-54c1-4bd2-8d82-9ad30bf3e35e</forti-uuid>
l Store the UUID as a custom attribute/create a DNS Text record with the data, forti-uuid=<UUID> in
the domain management page.
3. Click on the Actions icon - and select Authorize. The status of the authorization process is
displayed.
In the Configuration tab, you can configure the scanner for vulnerability assessment.
Scan Flag
Configures the type of scan, Quick Scan or Full Scan (default).
A quick scan is fast mode scanning that provides vulnerability assessment based on limited testing on the static
pages of your asset. A Full scan provides vulnerability assessment based on complete testing of the static and
dynamic pages of your asset. This mode of vulnerability assessment takes longer as it scans dynamic web
pages.
Cross-Site Scripting Uses a limited set of payloads. Uses the full set of payloads.
Server-Side Template
Injection
Local/Remote File
Inclusion
Open Redirection
Weak Form Password Uses limited dictionary for brute force Uses full dictionary for brute force
vulnerabilities. vulnerabilities.
Suspicious Domains <= 30 web domains are scanned for All web domains found are scanned for
vulnerabilities. vulnerabilities.
Information Disclosure Extracts information on static HTML Extracts information on static and
and scans for banner grabbing rendered HTML, scans for banner
vulnerabilities. grabbing vulnerabilities and secret
finders using regular expressions.
Security Headers Employs same scanning techniques for both quick and full scan.
Cross-Origin Resource
Sharing Misconfiguration
Known Vulnerabilities
Authentication Options
You can configure two authentication methods for the scanner. Click on More and configure the following.
l Authentication via GUI - This is required for assets that have authentication enabled.
l Web Authentication or Basic Authentication - This is required for websites that have a login form
and require credentials to be validated. For a website that has authentication enabled, you are
required to enter the username and password for the entire web application to be scanned.
l Login URL - The login URL of your asset.
l Authentication via Cookies - You are required to extract cookies from the website.
l Headers - Use any web debugging application to extract cookies from the asset. Copy and paste the
cookie in this field. The required format for the header is Content-type :Value; Cookie :Value.
Consider the following example.
The cookie is extracted using a web debugger application.
Vulnerability Scanning
After successful authorization, the asset requires to be scanned for vulnerability assessment. To configure the
vulnerability scanner, see Configuring the Scanner on page 17.
Click Scan. A progress bar is displayed with the status of the scanning process. You can terminate the
scanning process by clicking on Stop.
After the current scanning process is complete, you can scan the asset again, click Rescan.
Dashboard
The scan result for vulnerability assessment is populated in a comprehensive dashboard with graphical
representation and visualization of statistics as a combination of summary charts and detailed data. The
dashboard provides an insight into the scanned assets based on the URIs, CVSS score, and OWSP top ten
vulnerabilities’ categorization.
The dashboard is divided into donut/pie charts with each color coded wedge of the chart representing a
particular count/percentage. Hover over different parts of the chart to view details.
The vulnerability scan detects and assess URIs in the asset. The URI statistics displayed on the chart
represent the total number of URIs detected (center of the chart) with each wedge of the chart representing the
count/percentage of the following:
l The URIs with scan success
l The URIs with scan failure
l The URIs not scanned
The detected URIs are scanned for vulnerabilities and are categorized based on severity. The
vulnerability statistics displayed on the chart represent the total number of vulnerabilities found in the scanned
URIs (center of the chart) with each swedge of the chart representing the count/percentage of vulnerabilities
with Critical, High, and Medium severity. The severity categorization is done based on the CVSS score.
The top 6 OWASP category based statistics found on the scanned asset are displayed on the chart.
The category based statistics displayed on the chart represent the total number of vulnerabilities found (center
of the chart) with each wedge of the chart representing the count/percentage of vulnerabilities. Clicking on this
chart brings up a tabular view of the vulnerabilities categorized as Critical, High, Medium, and Low.
FortiPenTest provides vulnerability assessment for the following OWASP security risks. For details, see section
What is FortiPenTest on page 5.
l A1 - Injection
l A3 - Sensitive Data Exposure
l A6 - Security Misconfiguration
l A7 - Cross Site Scripting
l A9 - Using Components with Known Vulnerabilities
l 2013 A10 - Unvalidated Redirects and Forwards
This list displays the scan result per URI for you to analyze and remediate the issues found. Click on
each URI to view details such as the vulnerabilty description, CVSS score, and suggested remediation.
Click Generate Report to view the scan result in a .pdf format. You can select to generate and download
Summary Reports or Detailed Reports.
Optionally, you can password protect the report by selecting Password Protection and configuring the
password.