WAF supports the account security feature that detects account risks. This feature
monitors endpoints related to user authentication, such as registration and logon
endpoints, and detects events that may pose a threat to user credentials. Detectable
risks include credential stuffing, brute-force attacks, account registration launched
by bots, weak password sniffing, and SMS interface abuse. To use the account security
feature, add endpoints that need to be monitored to WAF. You can view detection results
in WAF security reports.
Background information
- Before you enable account security, obtain the endpoint information that is required
for configuration. For example, you must provide the domain name, the URL where user
credentials are submitted, and the parameters that specify the username and password.
- The business is protected by WAF. For more information, see Website configuration.
Limits
Each WAF instance supports up to three endpoints.
Add an endpoint
- Log on to the WAF console.
- In the upper-left corner, select the region where the WAF instance is deployed. You
can select Mainland China or International.
- In the left-side navigation pane, choose .
- On the Account Security page, click Add Endpoint.
Note Each WAF instance supports up to three endpoints. If the number of endpoints has reached
the upper limit, the Add Endpoint icon turns grey, which indicates that you cannot add more endpoints.

- In the Add Endpoint dialog box that appears, set the parameters, and then click Save. The following table lists the parameters and descriptions.
Parameter |
Description |
Endpoint to be Detected |
Select the domain name that needs to be monitored by WAF, and enter the URI where
user credentials are submitted.
Do not enter the endpoint where users log on, for example, /login.html . Enter the endpoint where usernames and passwords are submitted.
|
Account Parameter Name |
Enter the parameter that specifies usernames. |
Password Parameter Name |
Enter the parameter that specifies passwords. If passwords are not required on the
endpoint, do not set this parameter.
|
Sample configuration
- For example, the logon endpoint is
/login.do
, and the body of the submitted POST request is username=Jammy&pwd=123456
. In this case, you must set Account Parameter Name to username
and Password Parameter Name to pwd
, as shown in the following figure.
- If the parameters that specify user credentials are included in the URL of a GET request,
for example,
/login.do? username=Jammy&pwd=123456
, set the parameters as shown in the preceding figure.
- If passwords are not required on the endpoint, for example, a registration endpoint,
set the Account Parameter Name parameter. Do not set the Password Parameter Name parameter.
- If phone numbers are used as user credentials on the endpoint, enter the parameter
that specifies phone numbers in the Account Parameter Name field. For example, the
URL is
/sendsms.do? mobile=13811111111
. In this case, you must set Endpoint to be Detected to /sendsms.do
and Account Parameter Name to mobile
. Do not set Password Parameter Name.
The endpoint is added. After the endpoint is added, WAF automatically dispatches detection
tasks. If the network traffic of the endpoint meets the detection conditions, account
risks are reported within a few hours.
View account security reports
To view account security reports, navigate to the Account Security page, find the target endpoint, and then click View Report in the Actions column. You can also view security reports on the Reports page.
The following procedure shows how to view security reports on the Reports page.
- Log on to the WAF console.
- In the upper-left corner, select the region where the WAF instance is deployed. You
can select Mainland China or International.
- In the left-side navigation pane, choose .
- On the Account Security tab, select the domain, endpoint, and time period (Yesterday, Today, Last 7 Days, or Last 30 Days) to view detected account risks.
The following table lists the fields and descriptions in an account security report.
Field |
Description |
Endpoint |
The URI where account risks are detected by WAF. |
Domain |
The domain to which the endpoint belongs. |
Malicious Requests Occurred During |
The time period during which account risks are detected. |
Blocked Requests |
The number of requests blocked by WAF protection rules during the time period displayed
in the Malicious Requests Occurred During column.
WAF protection rules indicate all the protection rules that are currently effective,
including Web application protection rules, HTTP ACL policies, HTTP flood protection
rules, and blocked regions. The proportion of the blocked requests reflects the account
security status of the endpoint.
|
Total Requests |
The total number of requests sent to the endpoint during the time period displayed
in the Malicious Requests Occurred During column.
|
Alert Triggered By |
The reason why the alert is triggered. Possible reasons include:
- A request fits the behavior model of credential stuffing or brute-force attacks.
- The traffic baseline of the endpoint is exceeded during the displayed time period.
- A large number of requests sent to the endpoint fit the rules described in the threat
intelligence library during the displayed time period.
- Weak passwords are detected in a large number of requests sent to the endpoint during
the displayed time period. In this case, credential stuffing and brute-force attacks
may occur.
|
Additional information
The account security feature only detects account risks. Due to the variation of businesses
and technologies, we recommend that you choose security services based on your actual
business requirements to better safeguard your business. For more information, see
Account security best practices.