FCP_FWB_AD-7.4 FCP - FortiWeb 7.4 Administrator Questions and Answers

XML Schema: In FortiWeb, XML protection rules allow you to define an XML Schema to validate the structure and content of incoming XML documents. This helps protect against attacks like XML injection by ensuring that only well-formed XML requests are processed.

Request URL: You can define a request URL as part of an XML protection rule to specify the URL pattern for which the rule should apply. This allows you to apply different XML protection rules to different endpoints or resources based on the URL.

The easiest way to allow a search engine indexer (such as Googlebot or Bingbot) to index your website on a FortiWeb is to add the indexer's IP address to the trusted IP list. This ensures that traffic from trusted indexers is allowed through without being blocked or interfered with by FortiWeb's security features like bot protection.

Machine learning (ML)-based API protection: ML-based API protection helps detect and mitigate abnormal behavior in API traffic, such as bot attacks or abuse, by learning and adapting to normal traffic patterns.

API schema validation: API schema validation ensures that the API requests conform to the defined schema (e.g., checking the structure, fields, and types in the API calls). This helps prevent attacks like XML or JSON injection by ensuring only valid requests are processed.

API user key enforcement: Enforcing API user key authentication requires clients to provide valid API keys, ensuring only authorized users can access the API. This is crucial for controlling access to the API.

Cross-Site Scripting (XSS) is a type of web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. This can lead to session hijacking, credential theft, or redirection to malicious sites. XSS attacks typically exploit vulnerabilities in web applications that fail to properly sanitize user input.

Here’s an analysis of the given options:

A. SELECT username FROM accounts WHERE username='admin';-- ' AND password='password';

This is an example of SQL Injection (SQLi) rather than XSS. It manipulates SQL queries to bypass authentication, not execute JavaScript in a user’s browser.

B. <</b> img src="http://badfile/nothere" onerror=alert(document.cookie); >

This is a classic XSS attack .

It uses an < img > tag with a non-existent src attribute.

The onerror event triggers when the image fails to load, executing alert(document.cookie);, which can expose session cookies.

This method is commonly used for stealing cookies or executing arbitrary scripts .

C. SELECT username FROM accounts WHERE username='XSS' ' AND password='alert("http://badurl.com")';

This is neither a valid SQL injection nor a valid XSS attack .

The syntax suggests an incorrect SQL query rather than JavaScript execution in a browser.

D. <</b> IMG SRC="xss.png" >

This is not a valid XSS attack unless there is an additional event handler like onload, onerror, or onmouseover executing JavaScript.

By itself, it just loads an image and does not execute any malicious script.

Thus, Option B is the correct answer as it represents a real-world XSS attack technique.

References :

OWASP XSS Guide: https://owasp.org/www-community/attacks/xss/

Fortinet XSS Protection Documentation: https://docs.fortinet.com/