FortiWeb SQL injection, XSS attacks order (signatures, Syntax Detection, ML) ?

Forum|Forum|10 months ago
June 17, 2025
1 reply
685 views

I was wondering as for SQL or XSS attacks fortiweb has 3 options for detections what is the order of operations ?

Is it first signatures then Syntax Detection and then attack ML models that are build on the appliance itself after time from the passed traffic?

Also what happens it an attack matches all 3 options?

My final question is for SQL injection and XSS attacks shouldn't signatures be stopped and just Syntax Detection and attack ML models to be used as I have read that they have less false positives ?

Screenshot 2025-06-17 105554.png

FortiWEB

Best answer by filiaks1

I think I got it with the feature false positive detection False Positive Mitigation for SQL Injection signatures | FortiWeb 7.6.2 | Fortinet Document Library that it will then try to use the Syntax Detection. So all features work together. Maybe for XSS there are not so many false positives and this is why it is not available.

For XSS the parser seems to help wilth encodings or obfuscations so it is more to detect false negatives than to help with false positive.

If there is anything else please share but I think this is the case.

filiaks1AuthorAnswer

Explorer III

I think I got it with the feature false positive detection False Positive Mitigation for SQL Injection signatures | FortiWeb 7.6.2 | Fortinet Document Library that it will then try to use the Syntax Detection. So all features work together. Maybe for XSS there are not so many false positives and this is why it is not available.

For XSS the parser seems to help wilth encodings or obfuscations so it is more to detect false negatives than to help with false positive.

If there is anything else please share but I think this is the case.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded