Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
muhaimifatihi
New Contributor II

Created on ‎07-28-2025 09:50 PM

JSON based upload not scan by webshell protection

Hi,

 

Need your recommendation on how to block this. Just making sure that this is not configuration issue.

 

Environment:

  • App with login, register, and upload function. All are using JSON but with GUI.
  • FortiWeb with JSON Protection Policy and Signature Detection enabled.
  • File Security and WebShell Detection enabled. PHP file extension not block.

 

For both login and register function, if we were injecting malicious payload, they will be blocked. no issue here. refer screenshots.

login and registerlogin and registerblockedblocked

attack-logattack-log

 

For upload function, Anti-Virus works well. Test upload an eicar.zip file was blocked.

However, for WebShell upload like oneliner or c99, these files was not block.

response-successresponse-successreturn 200return 200

Same file was blocked if not using JSON upload.

blockedblocked

 

So far i notice that file uploads rule, it ask for json setting. However for WebShell detection, no such thing.

json settingjson setting

 

Any thought on this?

 

Thanks and regards,

Muhaimi

Labels:
207
0 Kudos
4 REPLIES 4
Norajohnson
New Contributor

Created on ‎07-28-2025 10:16 PM

We'll show you how to bypass common defense mechanisms in order to upload a web shell, enabling you to take full control of a  monkey type  vulnerable web server. Given how .. If a server deserializes JSON data into an object without validating its structure or contents, an attacker might manipulate the data to include unexpected or harmful attributes. Risk: This can lead to
194
0 Kudos
hivi786cc
New Contributor

Created on ‎07-28-2025 10:18 PM

Interesting that the WebShell payloads bypass detection when wrapped in JSON have you tried adding custom signatures or content inspection rules specific to encoded file bodies within JSON?

187
0 Kudos
muhaimifatihi
New Contributor II

Created on ‎07-29-2025 11:49 PM

I did try using custom signature to capture the base64 encoded JSON POST request. However, this will also block every file upload using the same method. The reason is this custom capture do not scan for AV or compare the md5 of the webshell against the known list like File Security and WebShell Detection.

134
0 Kudos
filiaks1
Contributor II

Created on ‎07-30-2025 11:52 PM

What language is the webshell again php?

 

Useful link:

 

Web Shell Detection | FortiWeb 7.6.4 | Fortinet Document Library

 

Also see maybe enable or disable json parameter support Validating parameters (“input rules”) | FortiWeb 7.6.4 | Fortinet Document Library as maybe Fortiweb trying to work with json body as parameters causes issue.

114
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.