Protection
CMD Injection¶
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
Insecure Method Parameter¶
This type of risk is a business-specific injection type. In this case, a custom injection may be performed if an untrusted input is accepted in a particular method. This particular method will then carry out an operation that is vulnerable to injection. There are several kinds of situations in which it could be used, i.e. custom-type storage system that has its own query language, access to a different backend that assumes trusted inputs, etc. Using this analyzer, a method can be marked as vulnerable in order to detect and protect against any untrusted data that reaches the method. The developer uses a custom mark to identify the methods to be monitored.
SQL Injection¶
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shut down the DBMS), recover the content of a given file present on the DBMS file system and in some cases, issue commands to the operating system. With SQL injection attacks, SQL commands are injected into data-plane input in order to execute predefined SQL commands.
Broken Authentication And Session Management¶
These types of weaknesses can allow an attacker to either capture or bypass the authentication methods used by a web application.
Brute Force Login¶
An attacker tries to guess a correct password, or the key which is typically created from the password, making a brute-force attack.
No HttpOnly Cookie¶
Let's look further at the authentication cookie and assume that a XSS (cross-site scripting) vulnerability is present in the application, where the attacker can take advantage of it to steal the authentication cookie. Can we somehow prevent this from happening? It turns out that an HttpOnly flag can be used to solve this problem. When an HttpOnly flag is used, JavaScript will not be able to read this authentication cookie in case of XSS exploitation.
Sensitive Data Exposure¶
These types of vulnerabilities allow attackers to obtain sensitive data such as credit card details, health/personal information or usernames and passwords.
Weak Randomness¶
Standard pseudo-random number generators cannot withstand cryptographic attacks.
XXE¶
Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations.
Automated Real Time Whitelisting¶
Web Parameter Tampering is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.
Path Traversal¶
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with a “dot-dot-slash (../)” sequence and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system including application source code or configuration and critical system files. It should be noted that access to files is limited by the system’s operational access control, such as in the case of locked or in-use files on the Microsoft Windows operating system.
Security Misconfiguration¶
An attacker may access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain information or unauthorized access to the system.
Stacktrace Leak¶
App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers could use the extra information provided by error messages.
Client XSS¶
Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.
XSS¶
Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.
Untrusted Deserialization¶
Data which is untrusted also cannot be trusted to be well formed. Malformed or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized.
Library With Known Vulnerability¶
Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.
Arbitrary Code Execution¶
In computer security, arbitrary code execution (ACE) is used to describe an attacker's ability to execute arbitrary commands or code on a target machine or in a target process.[citation needed] An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE).
Microsegmentation¶
In computer security, Microsegmentation is a way to create secure zones in datacenters and cloud deployments. It's a way to implement a more fine-grained segmentation than traditional segmentation tools. .
CSRF¶
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not data, since the attacker has no way of seeing the response to the forged request. With a little help from social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests, such as transferring funds, changing their email address, and so on. If the victim is an administrative account, CSRF can compromise the entire web application.
Custom Input Validation¶
With the default configuration, all the editable values of the forms (text boxes and text areas) are validated with a set of rules that prevent most SQL Injection and XSS attacks.
The system is extendable and it is possible to configure the validation of editable values in only a part of the application or to add new rules.
Format String¶
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.
Graphql Protection¶
GraphQL endpoints could be potentially vulnerable to several kind of attacks, that in many cases could lead to DoS like situations. Hdiv Agent protects against this kind of attacks using the following approaches
- Query Whitelisting
- Query Size Limit
- Query Complexity Limit
- Query Depth Limit
Insecure Cookie¶
Even if the application is using HTTPS, it is not setting secure flag on cookies which may lead to data exposure.
Malicious Binary¶
This rule prevents any infected binary file being uploaded to the server by blocking its transfer.
Malicious Bots¶
This rule helps to block BOTs that are reputed to be malicious.
IP Reputation¶
Malicious IPs are IPs that are reputed to be a source of attacks. This analyzer obtains malicious IPs from external sources, but additionally, it is able to detect attack patterns, including those IPs on a rejected IP list. Any IP present on those lists will be banned and the application protected against the attacker.
Mass Assignment¶
Software frameworks sometimes allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier. This can sometimes cause harm.
No Same Site Cookie¶
SameSite prevents the browser from sending this cookie along with cross-site requests.
The main goal is to mitigate the risk of cross-origin information leakage.
It also provides some protection against cross-site request forgery attacks.
Possible values for the flag are lax or strict.
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context,
even when following a regular link. For example, for a GitHub-like website this would mean that
if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email,
GitHub will not receive the session cookie and the user will not be able to access the project.
Padding Oracle¶
In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext.
In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive.
The attack relies on having a "padding oracle" which freely responds to queries about whether a message is correctly padded or not.
Hdiv Agent protects against the exploitation of the attack by detecting attack patterns. .
ReDoS¶
The regular expression denial of service (ReDoS)[1] is an algorithmic complexity attack that produces a denial-of-service by providing a regular
expression that takes a very long time to evaluate. The attack exploits the fact that most regular expression implementations have exponential time complexity in the
worst case: the time taken can grow exponentially in relation to input size. An attacker can thus cause a program to spend an unbounded
amount of time processing by providing such a regular expression, making it either slow down or become unresponsive.
Hdiv Agent protects against the DoS caused by such long-running expressions. .
DoS¶
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed for.
There are many ways to make a service unavailable to legitimate users - by manipulating network packets, programming or resources handling vulnerabilities among others.
If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop functioning if a programming vulnerability
is exploited, or due to the way the service handles resources it uses.
Request DoS protection allows DoS rules to be configured in order to detect them and block the attacker if desired.
X-Forwarded-For and DoS
If your web server does not sanitize the X-Forwarded-For value, you may need to adjust the hdiv.main.ip.strategy configuration option.
SSRF¶
Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback interface (127.0.0.1) of the exploited server.
Untrusted Client Access¶
Untrusted Client Access rule helps to track the domains being accessed from the client side, trying to prevent attacks that cause clients to call insecure third party urls.
Unvalidated Redirect¶
The application is using an untrusted input to craft a redirect/forward url.
CVE Protection¶
A security policy enforcement layer which prevents and reports the exploitation attempt of a known vulnerability.
X-Forwarded-For Spoofing¶
X-Forwarded-For header is the facto standard for including client IP address info when a request goes through a proxy. Today it is estimated that 56% of all the applications are using X-Forwarded-For header (carrying the original IP address) in some way.