I was guessing that the service on the Fortinet which was responding was the remote administration https:// access, so I used the following CLI commands through telnet to turn off https access:

set system interface wan1 config denyaccess

Now I am getting no response from ncat. This is one way to solve the problem with a limited configurable interface.

It turns out that this pen test failure is due to a direct response from the firewall itself. I'll be contacting Fortinet to see if they can provide us with a patch, but frankly this unit is so old I'm guessing they won't want to spend any time on it.

Thanks for the feedback so far.

Our pen tester comments that:

Exploit Potential
It was possible to inject code into the Expect Header.

And:

Remediation
Add the following configuration settings to your web.config or app.config.
<system.net>
<settings>
<servicePointManager expect100Continue="false">
</settings>
</system.net>

The only problem I have with the remediation is that it points to configurations being made on a server; however, the response from our firewall indicates to me that the firewall was the device that responded...not a server in the network behind the firewall. I am led to believe this by part of the response which is:

Server: FortiWeb-2.2.0

The confusing thing is that we dont have any FortiWeb software or appliances. The only thing we have is the Fotigate60, which would imply to me that the Fortigate60 is running FortiWeb and is responding to the ncat query.

This is new to me so I am on a large learning curve here. I have installed nmap though, so I am able to reproduce the pen test results.

Hello,

We have hired a security company to perform a penetration test. One of the tests they performed reported a risk. Here is the test parameters:

The Pentest company executed:

ncat --ssl (our static IP) 443
GET / HTTP/1.1
HOST:(our static IP)
EXPECT:"><script>alert('XSS')</script>

The response given by our firewall was:
 
HTTP/1.1 417 Expectation Failed
Date: Tue, 15 May 2012 18:58:45 GMT
Server: FortiWeb-2.2.0
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
174
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>417 Expectation Failed</title>
</head><body>
<h1>Expectation Failed</h1>
The expectation given in the Expect request-header
field could not be met by this server.<p>
The client sent<pre>
Expect: "><script>alert('XSS')</script>
</pre>
but we only allow the 100-continue expectation.
</body></html>

What I am wondering is what I must do to change the response by our Firewall so that the security tester does not believe that we are vulnerable to cross site scripting.

Our firewall is:
Model: Fortigate-60

Running:
Firmware: Fortigate-60 2.50,build171,031215

Any suggestions would be appreciated. Thanks.