Protection
OWASP A1¶
Insecure Method Parameter¶
This type of risk is a business specific injection type. In this case a custom injection may be performed if an untrusted input is accepted in a particular method. This particular method will then carry out an operation that is vulnerable to injection. There are several kinds of situation in which it could be used, i.e. custom-type storage system that has its own query language, access to a different backend that assumes trusted inputs, etc. Using this analyzer a method can be marked as vulnerable in order to detect and protect against any untrusted data that reaches the method. The developer uses a custom mark to identify the methods to be monitored.
SQL Injection¶
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. With SQL injection attacks, SQL commands are injected into data-plane input in order to execute predefined SQL commands.
OWASP A2¶
Broken Authentication And Session Management¶
These types of weaknesses can allow an attacker to either capture or bypass the authentication methods used by a web application.
Brute Force Login¶
An attacker tries to guess a correct password or the key which is typically created from the password making a brute-force attack.
OWASP A3¶
Sensitive Data Exposure¶
These types of vulnerabilities allow attackers to obtain sensitive data such as credit card details, health/personal information or usernames and passwords.
OWASP A4¶
XXE¶
Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations.
OWASP A5¶
Automated Real Time Whitelisting¶
The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
Path Traversal¶
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with a “dot-dot-slash (../)” sequence and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system including application source code or configuration and critical system files. It should be noted that access to files is limited by the system’s operational access control, such as in the case of locked or in-use files on the Microsoft Windows operating system.
OWASP A6¶
Security Misconfiguration¶
An attacker may access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain knowledge or unauthorized access to the system.
Stacktrace Leak¶
App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers could use the extra information provided by error messages.
OWASP A7¶
Client XSS¶
Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.
XSS¶
Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.
OWASP A8¶
Untrusted Deserialization¶
Data which is untrusted also cannot be trusted to be well formed. Malformed or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized.
OWASP A9¶
Library With Known Vulnerability¶
Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.
Other¶
CSRF¶
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not data, since the attacker has no way of seeing the response to the forged request. With a little help from social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so on. If the victim is an administrative account, CSRF can compromise the entire web application.
Custom Input Validation¶
With the default configuration, all the editable values of the forms (text boxes and text areas) are validated with a set of rules that prevent most SQL Injection and XSS attacks.
The system is extendible and it is possible to configure the validation of editable values in only a part of the application or to add new rules.
Format String¶
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.
Malicious Binary¶
This rule prevents any infected binary file being uploaded to the server by blocking its transfer.
Malicious Bots¶
This rule helps to block BOTs that are reputed to be malicious.
IP Reputation¶
Malicious IPs are IPs that are reputed to be a source of attacks. This analyzer obtains malicious IPs from external sources, but additionally, it is able to detect attack patterns, including those IPs on a rejected IP list. Any IP present on those lists will be banned and the application protected against the attacker.
Mass Assignment¶
Software frameworks sometime allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier on developers. This can sometimes cause harm.
Padding Oracle¶
In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext.
In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive.
The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not.
Hdiv Agent protects against the exploitation of the attack by detecting attack patterns .
ReDoS¶
The regular expression denial of service (ReDoS)[1] is an algorithmic complexity attack that produces a denial-of-service by providing a regular
expression that takes a very long time to evaluate. The attack exploits the fact that most regular expression implementations have exponential time
worst case complexity: the time taken can grow exponentially in relation to input size. An attacker can thus cause a program to spend an unbounded
amount of time processing by providing such a regular expression, either slowing down or becoming unresponsive.
Hdiv Agent protects against the DoS caused by those long running expressions .
DoS¶
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed for.
There are many ways to make a service unavailable to legitimate users - by manipulating network packets, programming or resources handling vulnerabilities among others.
If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability
is exploited, or due to the way the service handles resources it uses.
This analyzer allows DOS rules to be configured in order to detect them and block the attacker if desired. .
SSRF¶
Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback interface (127.0.0.1) of the exploited server.
Untrusted Client Access¶
Untrusted Client Access rule helps to track the domains being accessed from the client side, trying to prevent attacks that cause clients to call insecure third party urls.
Unvalidated Redirect Forwards¶
The application is using an untrusted input to craft a redirect/forward url.
CVE Protection¶
A security policy enforcement layer which prevents and reports the exploitation attempt of a known vulnerability.
X-Forwarded-For Spoofing¶
Prevents attack that send invalid or tampered X-Forwarded-For headers to launch attack payloads.