Deploy WAF at the network perimeter and RASP inside the application runtime for layered defense against web attacks.
Alibaba Cloud provides two layers of defense:
-
Web Application Firewall (WAF) — filters malicious traffic at the network perimeter.
-
Runtime Application Self-Protection (RASP) — detects attacks from inside the application runtime.
Deploy both together for defense in depth.
Common web application threats
Web applications that accept user input are potential targets. Attackers exploit weaknesses such as improper parameter validation and dynamic code execution.
|
Threat |
Description |
|
SQL injection |
Malicious SQL code in input fields executes unauthorized database operations to steal, modify, or delete data. |
|
Cross-site scripting (XSS) |
Malicious scripts injected into webpages run in other users' browsers, causing session hijacking and data leaks. |
|
Webshell uploads |
Attackers exploit file upload vulnerabilities to place a webshell on the server, gaining remote control. |
|
Command injection |
OS commands injected through application inputs execute arbitrary commands on the server. |
|
Path traversal |
Manipulated file path references access files and directories outside the intended scope. |
|
File inclusion |
Local or remote file inclusion forces the application to load and execute unintended files. |
|
Cross-site request forgery (CSRF) |
Tricks authenticated users into submitting unintended requests that perform actions without their knowledge. |
Defense architecture: WAF + RASP
WAF and RASP protect at different layers. Together, they cover threats that neither handles alone.
|
Layer |
Technology |
How it works |
Protects against |
|
Network perimeter (first line of defense) |
WAF |
Inspects HTTP/HTTPS requests and responses before they reach the application. Uses updated rules and AI-powered analysis to block known attack patterns. |
SQL injection, XSS, known exploit signatures, malicious request patterns |
|
Application runtime (second line of defense) |
RASP |
Embeds inside the application runtime (such as a JVM). Hooks key functions to monitor actual application behavior. |
Zero-day vulnerabilities, encrypted traffic attacks, in-memory webshells, attacks that bypass network-level detection |
First line of defense: WAF
WAF inspects all incoming HTTP/HTTPS traffic. Its continuously updated rules and AI-powered analysis block known attack patterns before requests reach backend servers.
Purchase a WAF edition
Select a WAF edition based on your website scale and traffic volume.
|
Edition |
Use case |
|
Pro |
Small to medium websites with no special security requirements |
|
Business |
Internet-facing enterprise websites with high security requirements |
|
Enterprise |
Large enterprise websites with high traffic or custom security requirements |
See WAF plans and editions for a detailed comparison.
Connect the website to WAF
WAF 3.0 supports three connection types.
|
Connection type |
How it works |
Best for |
Setup guide |
|
Point the domain DNS record to the WAF CNAME address. All public traffic routes through WAF before reaching the server. |
Any origin server reachable over the Internet, on Alibaba Cloud, other clouds, or on-premises. |
||
|
Integrates Alibaba Cloud services directly with WAF. No DNS changes required. |
Alibaba Cloud services: ECS, ALB, CLB, NLB, API Gateway (APIG), Microservices Engine (MSE), Function Compute (FC), and Serverless App Engine (SAE). |
||
|
Deploy the WAF SDK plugin on a self-built gateway such as Nginx or APISIX. Traffic is copied to a WAF cluster in bypass mode for detection without forwarding. |
Hybrid cloud deployments with on-premises web servers. |
-- |
Note: CNAME record mode works for any origin server regardless of hosting location. Cloud native mode provides the simplest setup for Alibaba Cloud services. Use hybrid cloud mode when traffic cannot be rerouted through an external WAF cluster.
Second line of defense: RASP
WAF filters traffic at the network perimeter, but some attacks evade network-level detection. Encrypted traffic, zero-day exploits, and payloads designed to bypass signature-based rules can pass through undetected.
RASP embeds directly into the application runtime -- for example, as a JVM probe -- and hooks key functions to monitor execution behavior. When a request triggers a database query, RASP analyzes the actual SQL statement, not just the network request. This runtime context makes RASP effective against threats that WAF cannot catch alone.
What RASP catches that WAF may miss
|
Threat |
Why WAF may miss it |
How RASP detects it |
|
Zero-day vulnerabilities |
No matching signature in the rule library. |
Monitors runtime behavior for anomalous function calls regardless of the exploit used. |
|
Encrypted traffic attacks |
Cannot inspect end-to-end encrypted payloads. |
Operates after decryption, seeing the actual data processed. |
|
In-memory webshells |
No file written to disk, so file-based detection fails. |
Hooks memory operations and function calls to detect malicious code in memory. |
|
Deserialization attacks |
Malicious payloads in serialized objects may not match WAF signatures. |
Monitors deserialization functions and blocks execution of unexpected code. |
Deploy RASP
Enable RASP through Security Center application protection. RASP deploys as a probe or module in the application runtime. See Connect to application protection.
WAF and RASP comparison
|
WAF |
RASP |
|
|
Protection layer |
Network perimeter |
Application runtime |
|
Detection method |
Rule-based and AI-powered inspection of HTTP/HTTPS traffic |
Runtime behavior monitoring via function hooking |
|
Deployment |
External to the application (DNS change, cloud native integration, or SDK plugin) |
Embedded in the application runtime (JVM probe) |
|
Strength |
Blocks known attack patterns before they reach the application |
Catches zero-day exploits, encrypted traffic attacks, and in-memory threats |
|
Limitation |
Cannot detect attacks that bypass signature matching or hide in encrypted traffic |
Only protects the application it is embedded in |
|
Setup |
Deploy WAF to filter known attacks at the network perimeter, and add RASP to catch threats that evade network-level detection. Together, they provide layered protection from the network edge to the application runtime.