Web applications exposed to the Internet face constant attack. SQL injection, cross-site scripting (XSS), webshell uploads, and other exploits target vulnerabilities in application code. A successful attack can lead to data theft, unauthorized access, or full server compromise.
Alibaba Cloud provides two layers of defense:
Web Application Firewall (WAF) filters malicious traffic at the network perimeter.
Runtime Application Self-Protection (RASP) detects attacks from inside the application runtime.
Deploy both together for defense in depth.
Common web application threats
Any web application that accepts user input over the Internet is a potential target. Attackers exploit weaknesses such as improper parameter validation and dynamic code execution.
Threat | Description |
SQL injection | Malicious SQL code inserted into input fields executes unauthorized database operations. Attackers can steal, modify, or delete data. |
Cross-site scripting (XSS) | Malicious scripts injected into webpages run in other users' browsers, leading to session hijacking and information leaks. |
Webshell uploads | Attackers exploit file upload vulnerabilities to place a malicious server-side script (webshell) on the server, gaining remote control. |
Command injection | Operating system commands injected through application inputs execute arbitrary commands on the server. |
Path traversal | Manipulated file path references access files and directories outside the intended scope. |
File inclusion | Local or remote file inclusion forces the application to load and execute unintended files. |
Cross-site request forgery (CSRF) | Authenticated users are tricked into submitting unintended requests, performing actions without their knowledge. |
Defense architecture: WAF + RASP
WAF and RASP protect web applications at different layers. Used together, they cover threats that neither handles alone.
Layer | Technology | How it works | Protects against |
Network perimeter (first line of defense) | WAF | Inspects HTTP/HTTPS requests and responses before they reach the application. Uses continuously updated rules and AI-powered analysis to detect and block known attack patterns. | SQL injection, XSS, known exploit signatures, malicious request patterns |
Application runtime (second line of defense) | RASP | Embeds inside the application runtime environment (such as a Java Virtual Machine (JVM)). Hooks key functions to monitor actual application behavior. | Zero-day vulnerabilities, encrypted traffic attacks, in-memory webshells, attacks that bypass network-level detection |
First line of defense: WAF
WAF sits in front of the web application and inspects all incoming HTTP and HTTPS traffic. Its continuously updated rule library and AI-powered proactive defense detect and block most known attack patterns before requests reach backend servers.
Step 1: Purchase a WAF edition
Select a WAF edition based on website scale and traffic volume.
Edition | Use case |
Pro | Small and medium-sized websites with no special security requirements |
Business | Medium-sized enterprise websites that are open to the Internet and have high security requirements |
Enterprise | Medium and large-sized enterprise websites that have a large business scale or custom security requirements |
For a detailed comparison, see WAF deployment plans and editions.
Step 2: Connect the website to WAF
Connect the website or application to WAF to start filtering traffic. WAF 3.0 supports three connection types.
Connection type | How it works | Best for | Setup guide |
Change the DNS record of the domain to the CNAME address provided by WAF. All public traffic routes through the WAF cluster before reaching the server. | Services on Alibaba Cloud, other clouds, or in on-premises data centers. Works with any origin server reachable over the Internet. | ||
Integrate Alibaba Cloud services directly with WAF. No DNS changes required. | Alibaba Cloud services: Elastic Compute Service (ECS), Application Load Balancer (ALB), Classic Load Balancer (CLB), Network Load Balancer (NLB), API Gateway (APIG), Microservices Engine (MSE), Function Compute (FC), and Serverless App Engine (SAE). | ||
Deploy the WAF SDK plugin on a self-built gateway such as Nginx or APISIX. Traffic is copied to a WAF cluster in bypass mode for detection. The WAF cluster does not forward traffic. | Hybrid cloud deployments where web servers run on-premises. | -- |
Note: CNAME record mode works for any origin server, regardless of hosting location. Cloud native mode provides the simplest setup for Alibaba Cloud services. Hybrid cloud mode is designed for environments where traffic cannot be rerouted through an external WAF cluster.
Second line of defense: RASP
WAF filters traffic at the network perimeter, but some attacks evade network-level detection. Encrypted traffic, zero-day exploits, and sophisticated payloads designed to bypass signature-based rules can pass through a WAF undetected.
RASP operates inside the application itself. It embeds directly into the application runtime environment -- for example, as a probe in a JVM -- and hooks key functions to monitor what the application does during execution. When a request triggers a database query, RASP analyzes the SQL statement that will be executed, not just the network request that delivered it. This runtime context makes RASP effective against threats that WAF cannot catch on its own.
What RASP catches that WAF may miss
Threat | Why WAF may miss it | How RASP detects it |
Zero-day vulnerabilities | No matching signature in the WAF rule library. | Monitors runtime behavior for anomalous function calls, regardless of the exploit used. |
Encrypted traffic attacks | WAF may not have visibility into end-to-end encrypted payloads. | Operates inside the application after decryption, seeing the actual data being processed. |
In-memory webshells | No file written to disk, so file-based detection fails. | Hooks memory operations and function calls to detect malicious code executing in memory. |
Deserialization attacks | Malicious payloads embedded in serialized objects may not match WAF signatures. | Monitors deserialization functions and blocks execution of unexpected code. |
Deploy RASP
Enable RASP through the Security Center application protection feature. RASP deploys as a probe or module in the application runtime. For setup instructions, see Connect to application protection.
WAF and RASP comparison
WAF | RASP | |
Protection layer | Network perimeter | Application runtime |
Detection method | Rule-based and AI-powered inspection of HTTP/HTTPS traffic | Runtime behavior monitoring via function hooking |
Deployment | External to the application (DNS change, cloud native integration, or SDK plugin) | Embedded inside the application runtime (JVM probe) |
Strength | Blocks known attack patterns before they reach the application | Catches zero-day exploits, encrypted traffic attacks, and in-memory threats |
Limitation | Cannot detect attacks that bypass signature matching or hide in encrypted traffic | Only protects the application it is embedded in |
Setup |
Deploy WAF as the first line of defense to filter known attacks at the network perimeter. Add RASP as the second line of defense to catch threats that evade network-level detection. Together, they provide layered protection from the network edge to the application runtime.