This topic describes the attacks involved in attack statistics and provides corresponding solutions.

Attack type Description Solution
JNDI injection If an application initiates a JNDI query but the query URL is controlled by an attacker, the attacker can induce the server on which the application runs to query malicious links and load malicious classes. This results in arbitrary code execution on the server.
  • If this vulnerability is caused by third-party components, you must upgrade the components at the earliest opportunity.
  • If this vulnerability is caused by self-written code for JNDI queries, you must restrict the query URLs to prohibit queries over insecure protocols.
JNI injection Java Native Interface (JNI) injection is a common method to bypass the Runtime Application Self-Protection (RASP) technology. If an attacker obtains the permissions to execute code, the attacker can use JNI functions to call external malicious dynamic-link libraries. This way, the attacker can bypass the security protection of the Java layer and conceal specific malicious behaviors. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
JSTL file inclusion The JavaServer Pages Standard Tag Library (JSTL) is a set of JavaServer Pages (JSP) tags, which encapsulates the common core features of JSP applications. If a user-controllable parameter is directly concatenated into JSTL without any restrictions on the parameter, an attacker can construct a special script that causes arbitrary file reads and server-side request forgery (SSRF) attacks. We recommend that you do not directly concatenate user-controllable parameters into JSTL. If you need to do this, you must exercise strict whitelist control on the content of the parameters.
SQL injection An SQL injection attack inserts SQL statements into the query strings of web requests or web forms and induces the server to execute the SQL statements. An attacker can obtain the data on websites with security vulnerabilities by inserting SQL statements into web forms. SQL injection is caused by concatenating SQL statements. Precompile input parameters or use whitelists and blacklists to limit concatenated parameters.
XXE XXE injection is short for XML external entity injection. If an XML file references an external entity, an attacker can construct malicious content to cause arbitrary file reads, command injection, and internal network attacks. Check whether your application needs to load external entities when it parses XML files. If not, disable external entities in the XML parsing configuration.
XSS Cross-site scripting (XSS) attacks inject malicious scripts into websites. When users browse a website, the script injected into the website is executed. Similar to HTML injection attacks, XSS attacks allow attackers to inject HTML code into web pages. To protect your application against XXS attacks, you must strictly filter and escape input data when the code submitted by a user is displayed on web pages.
  1. Filter input data and strictly check the following characters: ', ", <, >, on*, script, and iframe. Check the input data specified by users, the variables in the cookies of HTTP requests, and the variables in HTTP request headers.
  2. Check the type, format, length, range, and content of data.
  3. Check and filter data both on the client side and the server side.
  4. Encode and convert the input data that is displayed on web pages. For example, encode the data to HTML entities or JavaScript data. Check the output data. A value in the database may be displayed multiple times on a website. Even if you encode an input value, you must also check all the output values.
Expression language (EL) injection Expressions provide a wide range of features, such as data query and processing during runtime. Multiple expressions also provide features that require advanced permissions such as function calls. If the features are not restricted, attackers can modify the content of expressions and execute arbitrary code. Strictly restrict the content of expressions and disable Java function calls. If this vulnerability is caused by third-party components, you must upgrade the components at the earliest opportunity.
Malicious Attach API The Attach API is a Java technology that can be used to dynamically modify the bytecode of running applications. Attackers can use the technology to inject agent-type memory horses. This method is highly deceptive. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
Malicious beans binding Some Java frameworks support bean property binding when applications are running. If the types of bean properties that can be bound are not restricted, attackers can modify the values of sensitive bean properties to disrupt the operation of applications or even execute arbitrary code. You must restrict the types of bean properties that can be bound to prevent the values of bean properties such as class and class loaders from being changed. If this vulnerability is caused by third-party components, you must upgrade the components at the earliest opportunity.
Malicious DNS query An attacker can use multiple methods to exploit malicious DNS queries. An attacker is likely to use the DNS protocol to bring sensitive information out of internal networks. The attacker may also use the DNS protocol to detect whether an internal network system has vulnerabilities such as SSRF and JNDI injection. Malicious DNS queries are caused when the server sends requests to user-controlled parameters. Check the parameter settings and configure whitelists.
Malicious reflection calls The self-protection module of RASP prohibits attackers from using reflection to modify RASP data at runtime. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
Malicious class loading Zero-day vulnerabilities and web shells depend on the loading of malicious classes. If malicious classes are loaded, attackers can initialize malicious classes, obtain the permissions to execute code, and perform malicious operations.
  • If malicious classes are loaded by using web shells, delete the web shells at the earliest opportunity.
  • If malicious classes are loaded due to framework vulnerabilities, upgrade the frameworks at the earliest opportunity.
SSRF Server-side request forgery (SSRF) is a web security vulnerability that allows an attacker to attack the internal system of a website by inducing the server-side application to make HTTP requests. SSRF is caused when the server sends requests to input parameters. Check the parameter settings and configure whitelists.
Malicious file read and write Java provides the RandomAccessFile class for file read and write operations. When you use this class to read and write files but you do not restrict the file path and file content, an attacker may read sensitive system files and upload trojan files. Check whether you can read and upload files as expected. If an exception occurs, check the function code and configure blacklists.
Malicious file upload For the file upload feature provided by a website, if the types of files are not restricted, an attacker may obtain higher permissions on the server by uploading trojan files. This causes serious harm. Restrict the types of files to be uploaded and prohibit uploading files with execute permissions, such as JSP files.
Deserialization attack Java deserialization is a process of restoring a sequence of bytes into a Java object. If the Java object contains code that can cause high risks, an attacker can control the member variables of the Java object to initiate attacks during the deserialization process.
  1. Upgrade the components on which vulnerabilities are detected at the earliest opportunity.
  2. If no official versions of the components that have vulnerabilities fixed are released, temporarily disable the deserialization.
Command injection A command injection vulnerability allows an attacker to execute arbitrary system commands on the server. In most cases, remote command execution is caused by web shells or the risky code of the server. Check the location where commands are executed. If command execution is caused by web shells, delete the web shells in time. If commands are executed to implement normal features on the server, configure whitelists to limit the commands that can be executed.
Directory traversal The directory of a website may be browsed arbitrarily due to its configuration defects. This results in the disclosure of privacy information. An attacker can use the disclosed information to attack the website. Check whether the website directory can be traversed as expected. If an exception occurs, check the function code and configure blacklists to restrict the relevant commands, such as "./" and "../".
Memory horse injection Memory horse is an emerging trojan horse technique. An attacker can inject trojans into memory by some special technical means, which can effectively bypass the detection of WAF and host defense. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
Arbitrary file deletion For the file deletion feature provided by a website, if files are deleted by using an absolute path or a directory traversal character and file paths are not restricted, attackers can exploit this vulnerability to obtain sensitive information and attack the server. Check whether you can delete files as expected. If an exception occurs, check the function code and configure blacklists to restrict the input parameters, such as "./" and "../".
Arbitrary file read For the file download and read feature provided by a website, if files are read and downloaded by using an absolute path or directory traversal character, an attacker can exploit this vulnerability to obtain sensitive information and attack the server. Check whether you can read files as expected. If an exception occurs, check the function code and configure blacklists to restrict the input parameters, such as "./" and "../".
Weak database password If a database password is weak, an attacker may obtain the password by initiating brute-force attacks. In this case, the attacker can steal data from the database and obtain system permissions. Use a more complex password.
Thread injection Thread injection is a common method to bypass the RASP technology. If an attacker obtains the permissions to execute code, the attacker can create a thread so that RASP loses the context of the runtime environment. In this case, the defense capability of RASP is compromised. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
Usage of insecure protocols If the URL that a server accesses is user-controllable and the URL protocol is not restricted on your application, attackers can read sensitive files on the server over insecure protocols such as File and NetDoc. Restrict URL protocols.
Engine injection Java provides various third-party JavaScript engines (such as Rhino and Nashorn) and template engines (such as Apache Velocity and FreeMarker). In most cases, these engines provide features that require advanced permissions such as function calls. If the features are not restricted, attackers can modify the content executed by the engines and execute arbitrary code. Strictly restrict the content imported to the engines and disable Java function calls. If this vulnerability is caused by third-party components, you must upgrade the components at the earliest opportunity.