Protection

OWASP A1

CMD Injection

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

More Information

Insecure Method Parameter

This type of risk is a business-specific injection type. In this case, a custom injection may be performed if an untrusted input is accepted in a particular method. This particular method will then carry out an operation that is vulnerable to injection. There are several kinds of situations in which it could be used, i.e. custom-type storage system that has its own query language, access to a different backend that assumes trusted inputs, etc. Using this analyzer, a method can be marked as vulnerable in order to detect and protect against any untrusted data that reaches the method. The developer uses a custom mark to identify the methods to be monitored.

More Information

SQL Injection

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.

A successful SQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. With SQL injection attacks, SQL commands are injected into data-plane input in order to execute predefined SQL commands.

More Information

OWASP A2

Broken Authentication And Session Management

These types of weaknesses can allow an attacker to either capture or bypass the authentication methods used by a web application.

More Information

Brute Force Login

An attacker tries to guess a correct password, or the key which is typically created from the password, making a brute-force attack.

More Information

Let's look further at the authentication cookie and assume that a XSS (cross-site scripting) vulnerability is present in the application, where the attacker can take advantage of it to steal the authentication cookie. Can we somehow prevent this from happening? It turns out that an HttpOnly flag can be used to solve this problem. When an HttpOnly flag is used, JavaScript will not be able to read this authentication cookie in case of XSS exploitation.

More Information

OWASP A3

Sensitive Data Exposure

These types of vulnerabilities allow attackers to obtain sensitive data such as credit card details, health/personal information or usernames and passwords.

More Information

Weak Randomness

Standard pseudo-random number generators cannot withstand cryptographic attacks.

More Information

OWASP A4

XXE

Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations.

More Information

OWASP A5

Automated Real Time Whitelisting

Web Parameter Tampering is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.

More Information

Path Traversal

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with a “dot-dot-slash (../)” sequence and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system including application source code or configuration and critical system files. It should be noted that access to files is limited by the system’s operational access control, such as in the case of locked or in-use files on the Microsoft Windows operating system.

More Information

OWASP A6

Security Misconfiguration

An attacker may access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain knowledge or unauthorized access to the system.

More Information

Stacktrace Leak

App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers could use the extra information provided by error messages.

More Information

OWASP A7

Client XSS

Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.

More Information

XSS

Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.

More Information

OWASP A8

Untrusted Deserialization

Data which is untrusted also cannot be trusted to be well formed. Malformed or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized.

More Information

OWASP A9

Library With Known Vulnerability

Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.

More Information

Other

Arbitrary Code Execution

In computer security, arbitrary code execution (ACE) is used to describe an attacker's ability to execute arbitrary commands or code on a target machine or in a target process.[citation needed] An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE).

More Information

CSRF

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not data, since the attacker has no way of seeing the response to the forged request. With a little help from social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests, such as transferring funds, changing their email address, and so on. If the victim is an administrative account, CSRF can compromise the entire web application.

More Information

Custom Input Validation

With the default configuration, all the editable values of the forms (text boxes and text areas) are validated with a set of rules that prevent most SQL Injection and XSS attacks.

The system is extendable and it is possible to configure the validation of editable values in only a part of the application or to add new rules.

More Information

Format String

The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

More Information

Even if the application is using HTTPS, it is not setting secure flag on cookies which may lead to data exposure.

More Information

Malicious Binary

This rule prevents any infected binary file being uploaded to the server by blocking its transfer.

More Information

Malicious Bots

This rule helps to block BOTs that are reputed to be malicious.

More Information

IP Reputation

Malicious IPs are IPs that are reputed to be a source of attacks. This analyzer obtains malicious IPs from external sources, but additionally, it is able to detect attack patterns, including those IPs on a rejected IP list. Any IP present on those lists will be banned and the application protected against the attacker.

More Information

Mass Assignment

Software frameworks sometimes allow developers to automatically bind HTTP request parameters into program code variables or objects to make using that framework easier. This can sometimes cause harm.

More Information

SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is mitigate the risk of cross-origin information leakage. It also provides some protection against cross-site request forgery attacks. Possible values for the flag are lax or strict.
The strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link. For example, for a GitHub-like website this would mean that if a logged-in user follows a link to a private GitHub project posted on a corporate discussion forum or email, GitHub will not receive the session cookie and the user will not be able to access the project.

More Information

Padding Oracle

In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not.

Hdiv Agent protects against the exploitation of the attack by detecting attack patterns .

More Information

ReDoS

The regular expression denial of service (ReDoS)[1] is an algorithmic complexity attack that produces a denial-of-service by providing a regular expression that takes a very long time to evaluate. The attack exploits the fact that most regular expression implementations have exponential time worst case complexity: the time taken can grow exponentially in relation to input size. An attacker can thus cause a program to spend an unbounded amount of time processing by providing such a regular expression, either slowing down or becoming unresponsive.

Hdiv Agent protects against the DoS caused by those long running expressions .

More Information

DoS

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed for. There are many ways to make a service unavailable to legitimate users - by manipulating network packets, programming or resources handling vulnerabilities among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or due to the way the service handles resources it uses.

This analyzer allows DOS rules to be configured in order to detect them and block the attacker if desired. .

More Information

SSRF

Server Side Request Forgery (SSRF) vulnerabilities let an attacker send crafted requests from the back-end server of a vulnerable web application. Criminals usually use SSRF attacks to target internal systems that are behind firewalls and are not accessible from the external network. An attacker may also leverage SSRF to access services available through the loopback interface (127.0.0.1) of the exploited server.

More Information

Untrusted Client Access

Untrusted Client Access rule helps to track the domains being accessed from the client side, trying to prevent attacks that cause clients to call insecure third party urls.

More Information

Unvalidated Redirect Forwards

The application is using an untrusted input to craft a redirect/forward url.

More Information

CVE Protection

A security policy enforcement layer which prevents and reports the exploitation attempt of a known vulnerability.

More Information

X-Forwarded-For Spoofing

Prevents attack that send invalid or tampered X-Forwarded-For headers to launch attack payloads.

More Information