Web Application Firewall (WAF) supports the account security feature. This feature monitors the endpoints related to user authentication, such as registration and logon endpoints, and detects events that may threaten user credentials. Detectable risks include credential stuffing, brute-force attacks, account registration launched by bots, weak password sniffing, and SMS interface abuse. To use the account security feature, add endpoints that need to be monitored by WAF. You can view detection results in WAF security reports.

Notice This topic uses the new version of the WAF console released in January 2020. If your WAF instances were purchased before January 2020, see Account security.

Prerequisites

  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.
  • The billing method of your WAF instance must be a monthly or annual subscription. The WAF instance must use the Business, Enterprise, or Exclusive edition.

Background information

Before you enable account security, obtain the endpoint information that is required for configurations. For example, the domain name, the URL where visitors submit user credentials, and the parameters that specify the username and password. Each WAF instance allows you to enable account security simultaneously for up to three endpoints.

Add an endpoint

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Lab > Account Security.
  4. On the Account Security page, click Add Endpoint.
    Note Each WAF instance allows you to enable account security simultaneously for up to three endpoints. If you have already added three endpoints, theAdd Endpoint button is dimmed.
  5. In the Add Endpoint dialog box, set the following parameters and click Save.新增接口配置
    Parameter Description
    Endpoint to be Detected Select the domain name that needs account security enabled. Then, enter the URL where user credentials are submitted.

    Do not enter the endpoint where users log on. For example, do not enter/login.html. Instead, enter the endpoint where visitors enter their usernames and passwords.

    Request Method Select the request method for the endpoint. Valid values: POST, GET, PUT, DELETE.
    Account Parameter Name Specify the username field.
    Password Parameter Name Set the parameter that specifies the password field. If passwords are not required to access the endpoint, do not set this parameter.
    Protective Action Select the action that manages requests that compromise account security. Valid values:
    • Report
    • Block
    Sample configurations
    • For example, the logon endpoint is /login.do, and the body of the POST request is username=Jammy&pwd=123456. In this case, set the value of Account Parameter Name to username and set the value of Password Parameter Name to pwd. You can set the parameters as shown in the screenshot.
    • If the parameters that specify user credentials are included in the URL of a GET request, for example, /login.do? username=Jammy&pwd=123456, set the value of Request Method to GET. Keep other settings the same as those in the figure.
    • If passwords are not required to access the endpoint, for example, a registration endpoint, set the Account Parameter Name parameter and do not set the Password Parameter Name parameter.
    • If a phone number is required as a user credential to access the endpoint, then the phone number can be used as the account parameter. For example, the URL is /sendsms.do? mobile=13811111111. In this case, set the value of Endpoint to be Detected to /sendsms.do and set the value of Account Parameter Name to mobile and do not set Password Parameter Name.
    After you add the endpoints, WAF automatically dispatches detection tasks. If the network traffic of the endpoint meets the detection conditions, account risks are reported within a few hours.

View account security reports

To view account security reports, find the target endpoint on the Account Security page, and click View Report in the Actions column. You can also view security reports on the Security report page in the WAF console.

The following procedure describes how to view security reports on the Security report page.

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, click Security report.
  4. Click the Web Security tab, click Account Security and select the domain name, endpoint, data range (Yesterday, Today, 7 Days, 30 Days) to check the corresponding account security risks.Account security

    The following table lists the fields and descriptions in an account security report.

    Field Description
    Endpoint The URI where account risks are detected by WAF.
    Domain The domain name to which the endpoint belongs.
    Malicious Requests Occurred During The time period during which account risks are detected.
    Blocked Requests The number of requests blocked by WAF protection rules during the time period displayed in the Malicious Requests Occurred During column.

    WAF protection rules indicate those that are currently effective, including Web application protection rules, accurate access control, HTTP flood protection, and blocked regions. The proportion of the blocked requests indicates the account security status of the endpoint.

    Total Requests The total number of requests sent to the endpoint during the time period displayed in the Malicious Requests Occurred During column.
    Alert Triggered By The reason why the alert is triggered. Possible reasons include:
    • A request fits the behavior model of credential stuffing or brute-force attacks.
    • The traffic baseline of the endpoint is abnormal during the displayed time period.
    • A large number of requests sent to the endpoint fit the rules described in the threat intelligence library during the displayed time period.
    • Weak passwords are detected in a large number of requests sent to the endpoint during the displayed time period. In this case, credential stuffing and brute-force attacks may occur.

See also

The account security feature only detects account risks. Due to the variations of businesses and technologies, we recommend that you choose security services based on your actual business requirements to better safeguard your business. For more information, see Account security best practices.