FortiWeb’s “Recursive URL Decoding” feature can detect URL-based attacks (among which XSS and SQL injection attempts) even when the malicious URL is recursively encoded. However, this feature is not enabled by default in FortiWeb’s system settings for FortiWeb version 6.0.0 and below.