End Goal
* set up a bad web-server (example webgoat) and perform a “SQL-injection” or “Cross site scripting” → succedd with attack
* Protect the bad web-server with NGFW Fortigate again and perform a “SQL-injection” or “Cross site scripting” → Fail! (now protected)
Read (& Learn) Before the Lab
Inspirational Picture:
Fortigate Web Application F (WAF) screenshot
Please note “Signatures” and “SQL injection” above
BAD: https://www.youtube.com/watch?v=E4qwpBxH5b4 Web application firewall (WAF) - firewall training
Good: https://www.youtube.com/watch?v=TYdzj1XMMAI
Cable according to the below topology
Install DamnVulnerableWebApplication (dvwa) into Kali-Linux
sudo apt-get update
sudo apt-get install dvwa
sudo dvwa-start
surf to 127.0.0.1:42001
surf to 192.168.1.XX:42001
FIX 403-ERRORS WITH:
sudo dvwa-stop
sudo nano /etc/dvwa/vhost/dvwa-nginx.conf
change port from 42001 to 80
change 2 occurrences of “deny all ” to “allow all”
sudo dvwa-start
surf to 192.168.1.XX:80
This is the actual lab: previous things where only initial setup/prerequisites
https://getlabsdone.com/how-to-configure-fortigate-port-forwarding/
Use port 80 (not 42001) below!
+
⬇️
Access DVWA from the outside Windows PC with http (not https) using the URL http://192.168.16.XX:42001
Troubleshoot Port-Forward NAT if you can not see the http web-page
Go to DVWA Security: Change Security Level to "low"
4.1 Go to XSS (reflected) and enter Robert
4.2 Go to XSS (reflected) and enter <Script>alert("hacked by Robert")</Script>
Read more: https://tanmay26.medium.com/cross-site-scripting-xss-dvwa-damn-vulnerable-web-applications-36808bff37b3
5.1 Got to Setup/Resset DB: Click button "Create/Reset Database"
5.2 Go to SQL injection and enter 1
5.3 Go to SQL injection and enter %' or '1' = '1 Beware of the difference of ', ` and ´ characters :- )
Read more: https://medium.com/@tafiaalifianty/low-level-sql-injection-in-dvwa-41928b7206c6
Manual: FortiGate / FortiOS 7.4.1 Administration Guide Protecting a server running web applications
Picture
Click ⚙️System > Feature Visibility, and turn on Web Application Firewall. Click Apply
Detect and block known web application attacks. Also apply HTTP Protocol Constraint and Access Rules to traffic. Set up Web Application Firewall Profiles (under Security Profiles > Web Application Firewall) and add them to Firewall Policies.
Must be enabled via CLI first:
config system settings
set gui-proxy-inspection enable
end
Click top right corner ">_" symbol for CLI
Click 🔒Security Profiles > Web Application Firewall
Create an empty profile by clicking [+ Create New], naming it “waf-profile1”, and simply click OK , without selecting any Signatures or Constraints.
Click >_ on the top right corner to enter CLI
**?? Ignore this ?? **enter the commands:
config waf profile
edit waf-profile1
config constraint
show full-configuration
Go back to "📄Policy & Objects > Firewall Policy" and edit your NAT Policy
6.1. Change "Inspection Mode" to "Proxy-based" (from "Flow Based")
6.2 Enable "Web Application Firewall"
6.3 Change VAF to "Profile Robert" (your previosly created WAF, not the default one)
...
Access DVWA from the outside Windows PC with http (not https) using the URL http://192.168.16.XX:42001
Troubleshoot Port-Forward NAT if you can not see the http web-page
Go to DVWA Security: Change Security Level to "low"
4.1 Go to XSS (reflected) and enter Robert
4.2 Go to XSS (reflected) and enter <Script>alert("hacked by Robert")</Script>
Read more: https://tanmay26.medium.com/cross-site-scripting-xss-dvwa-damn-vulnerable-web-applications-36808bff37b3
5.1 Got to Setup/Resset DB: Click button "Create/Reset Database"
5.2 Go to SQL injection and enter 1
5.3 Go to SQL injection and enter %' or '1' = '1 Beware of the difference of ', ` and ´ characters :- )
Read more: https://medium.com/@tafiaalifianty/low-level-sql-injection-in-dvwa-41928b7206c6
x0. Include a screenshot of the blocked attack, you must include the full screen (with the date/clock in the bottom right corner)
Optional: Last update of WAF signature file? Frequency of updates? Number of signatures in WAF signature file?
x1. What is an ASIC compared to a CPU?
x2. What kind of ASICs (processors) does fortinet produce? (different ones for different products)
x2b. whic one is used in Fortigate 40F?
HARDWARE
x3. In the above picture (open/edit a policy in Policy&Objects > FirewallPolicy) you see nTurbo, SPU and Software. Explain these three!
x5. Find a (scientific) article that measures SNORT on regular (off the shelf) CPU, or similar measurments.
x5a. What is the title of the article?
x5b. Summarize the findings in 2-3 sentences!
Do only one of the following alternatives (XOR)
Alternative 1 (hard)
Alt1: Submit a short how-to guide how you succeeded in mitigating a SQLi attack over a https connection (including screenshots)
Alternative 2 (easy)
Alt2a: Can you get a free signed https certificate on the Internet? If so, where?
Alt2b: Explain with a figure and text what a Man-in-the-Middle (MitM) is!
Alt2c: Explain what a web server proxy is and how it can function with todays use of https
https://www.youtube.com/watch?v=E4qwpBxH5b4 Web application firewall (WAF) - firewall training (forti Tip)
https://youtu.be/Kn27rdcn7tk?si=tEP2QFdI28eB3p2l FortiGate WAF David Romero Trejo (No talking, music only)
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-collect-Web-application-firewall-WAF/ta-p/274390
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-investigate-if-WAF-is-not-generating/ta-p/196635