The FortiWeb XSS signature being enforced (ID 000000131) uses a specific regular expression pattern to detect malicious JavaScript event handlers. The pattern is on(blur|change|click|dblclick|focus|keydown|keypress|keyup|load|reset|select|submit|unload)\s=.

The attempted attack uses the mousedown event. This specific event is not included in the list of events within the signature's regular expression. Because the incoming attack vector (onmousedown=...) does not match the signature's pattern, the signature will not be triggered. Consequently, FortiWeb will not take any action based on this rule, and the connection will be allowed.

A. Stripping content is an action ("Erase") that would only occur if the signature pattern was matched, which it is not.

B. Blocking the connection is an action ("Deny") that would only occur if the signature pattern was matched. The attack does not match the pattern.

C. Reporting to FortiGuard would only happen after an attack is detected. Since the signature pattern is not matched, no attack is detected by this rule.

1. FortiWeb 7.4 Administration Guide

Page 388

"Signatures" section.

The guide explains that FortiWeb uses signatures with specific patterns to detect known attacks. It states

"When traffic matches a signature

FortiWeb takes the configured action..." This implies that if traffic does not match the pattern

no action is taken. The attack's mousedown event does not match the signature's regular expression

so no action is taken.

2. FortiWeb 7.4 Administration Guide

Page 389

"To view and filter the predefined signature set".

This section details the components of a signature

including the "Pattern" field. The effectiveness of the signature is entirely dependent on this pattern matching the traffic. The provided scenario shows a clear mismatch between the attack vector and the signature pattern.