Skip to main content
muhaimifatihi
muhaimifatihi
New Member
July 29, 2025
Question

JSON based upload not scan by webshell protection

  • July 29, 2025
  • 4 replies
  • 655 views

Hi,

 

Need your recommendation on how to block this. Just making sure that this is not configuration issue.

 

Environment:

  • App with login, register, and upload function. All are using JSON but with GUI.
  • FortiWeb with JSON Protection Policy and Signature Detection enabled.
  • File Security and WebShell Detection enabled. PHP file extension not block.

 

For both login and register function, if we were injecting malicious payload, they will be blocked. no issue here. refer screenshots.

login and registerlogin and registerblockedblocked

attack-logattack-log

 

For upload function, Anti-Virus works well. Test upload an eicar.zip file was blocked.

However, for WebShell upload like oneliner or c99, these files was not block.

response-successresponse-successreturn 200return 200

Same file was blocked if not using JSON upload.

blockedblocked

 

So far i notice that file uploads rule, it ask for json setting. However for WebShell detection, no such thing.

json settingjson setting

 

Any thought on this?

 

Thanks and regards,

Muhaimi

4 replies

Norajohnson
Norajohnson
New Member
July 29, 2025
We'll show you how to bypass common defense mechanisms in order to upload a web shell, enabling you to take full control of a  monkey type  vulnerable web server. Given how .. If a server deserializes JSON data into an object without validating its structure or contents, an attacker might manipulate the data to include unexpected or harmful attributes. Risk: This can lead to
hivi786cc
hivi786cc
New Member
July 29, 2025

Interesting that the WebShell payloads bypass detection when wrapped in JSON have you tried adding custom signatures or content inspection rules specific to encoded file bodies within JSON?

muhaimifatihi
muhaimifatihiAuthor
New Member
July 30, 2025

I did try using custom signature to capture the base64 encoded JSON POST request. However, this will also block every file upload using the same method. The reason is this custom capture do not scan for AV or compare the md5 of the webshell against the known list like File Security and WebShell Detection.

filiaks1
filiaks1
Explorer III
July 31, 2025

What language is the webshell again php?

 

Useful link:

 

Web Shell Detection | FortiWeb 7.6.4 | Fortinet Document Library

 

Also see maybe enable or disable json parameter support Validating parameters (“input rules”) | FortiWeb 7.6.4 | Fortinet Document Library as maybe Fortiweb trying to work with json body as parameters causes issue.

Terms & ConditionsAccessibility statement