If you deploy web services and provide them over the Internet, use Web Application Firewall (WAF) in combination with Runtime Application Self-Protection (RASP). This combination defends against common attacks such as website trojans, WebShells, database attacks, cross-site attacks, remote command execution, and file upload exploits.
Security risks
Any web application, such as a website or API operation, that provides services over the Internet is inevitably exposed to attacks. Attackers exploit common vulnerabilities in web applications, such as improper parameter validation and dynamic code execution, to launch various attacks:
SQL injection: Attackers insert malicious SQL code into input fields to trick the server into executing unintended database operations. This allows them to steal, tamper with, or delete your core data.
Cross-site scripting (XSS) attacks: Attackers inject malicious scripts into webpages. When other users visit these pages, the scripts run in their browsers. This can lead to session hijacking and personal information leaks.
WebShell uploads: Attackers exploit file upload vulnerabilities to upload a malicious server-side script (WebShell) to your server. This gives them remote control over the server.
Other common attacks: These include command injection, directory traversal, file inclusion, and cross-site request forgery (CSRF). All of these can be devastating to your business.
A Web Application Firewall is a system designed to protect web applications from various security threats. It inspects the content of HTTP and HTTPS requests and responses to detect and block specific attacks. Using a WAF effectively reduces web attacks. For more advanced protection, you can deploy RASP. RASP is embedded in the application's runtime environment. It hooks key functions to monitor application behavior and gather rich contextual information. This allows it to detect and block attacks with greater accuracy. Compared to WAF, RASP is more effective against threats such as zero-day vulnerabilities, encrypted traffic, and in-memory webshells.
Best practices
First line of defense: Web Application Firewall (WAF)
WAF works in front of your web application, acting as the first checkpoint for incoming traffic. It functions like a professional "network gatekeeper" by inspecting all incoming HTTP and HTTPS requests. Using its built-in and continuously updated rule library, WAF detects and blocks most known attack traffic, such as malicious SQL injection code in a URL. This non-intrusive, network-layer protection effectively filters most malicious requests, significantly reducing the load on backend servers.
Activate and purchase: Purchase a WAF edition (Pro, Enterprise, or Ultimate) based on your website's scale and traffic volume. For more information, see Plans and versions.
Connect to WAF: Connect your website to WAF to enable protection. WAF supports the following connection types (WAF 3.0 is used as an example):
Connection type
Principle
Use cases
Change the DNS record of the website to the CNAME address provided by WAF.
address, which ensures that all public network access traffic is first routed through the WAF cluster.
Supports services on the cloud (Alibaba Cloud or non-Alibaba Cloud) or in on-premises IDCs
server protection. For example, Add a website using a CNAME record
Supports quick integration of ALB, CLB, NLB, ECS, APIG, MSE, FC, and SAE.
Allows quick connection to WAF for ALB, CLB, NLB, ECS, APIG, MSE, FC, and SAE. The connection method varies by cloud product.
Add Alibaba Cloud products to WAF for protection. For example, Add an ECS instance
Deploy the WAF SDK plug-in on a self-built unified access gateway, such as Nginx or APISIX. Service traffic is copied to a WAF cluster that is deployed in bypass mode for detection. The WAF cluster does not forward traffic.
For hybrid clouds where web servers are deployed on-premises.
Second line of defense: RASP
WAF may struggle to detect encrypted traffic, zero-day attacks that exploit unknown vulnerabilities, or complex attacks that bypass network detection. This is where a second, deeper line of defense is needed: RASP.
RASP is embedded directly into your application's runtime environment, such as a Java Virtual Machine (JVM), as a probe or module. It hooks key functions to monitor the application's actual internal behavior. For example, when a request is about to trigger a database query, RASP directly analyzes the SQL statement that will be executed to determine if it is malicious. This is different from WAF, which can only guess based on network traffic. This "insider" perspective gives RASP a natural advantage in defending against new threats, such as zero-day vulnerabilities and in-memory webshells. It is a perfect complement to WAF. For more information, see Connect to application protection.