FortiWeb Recursive URL Decoding is not enabled by default
FortiWeb's "Recursive URL Decoding" feature can detect URL-based attacks (among which XSS and SQL injection attempts) even when the malicious URL is recursively encoded. However, this feature is currently not enabled by default in FortiWeb's system settings.
WAF bypass (URL based attack)
FortiWeb all versions
FortiWeb will by default enable the "Recursive URL Decoding" feature in upcoming version 6.1.0.
In the meantime, manually enabling this feature is recommended.
From the FortiWeb GUI, it can be enabled under system > Config > Advanced in the "Recursive URL Decoding" (refer to: http://help.fortinet.com/fweb/571/Content/FortiWeb/fortiweb-admin/advanced_settings.htm for more info).
From the FortiWeb CLI, it can be enabled with the following commands:
config system advanced
set circulate-url-decode enable
Fortinet is pleased to thank independent security researcher SecuNinja (http://twitter.com/secuninja) for reporting this FortiWeb operational risk under responsible disclosure.