The application protection feature is developed based on the Runtime Application Self Protection (RASP) technology. This feature can protect applications that are running. To use the application protection feature, you do not need to change the application code. You need to only install the application protection agent on the servers that you want to protect. The feature can protect your applications against attacks that are launched by exploiting most unknown vulnerabilities.

How application protection works

The application protection feature of Security Center is developed based on the RASP technology of Alibaba Cloud. The RASP technology can detect attacks and provide self-protection during application runtime. RASP is built into applications and hooks key functions to monitor the interactions between applications and other systems in real time. When suspicious behavior occurs in an application, RASP identifies and blocks attacks based on the context. The application protection feature is available only for Java applications.

Supported editions

The application protection feature is in public preview. Only the Advanced, Enterprise, and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Advanced, Enterprise, or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Prerequisites

  • The Security Center agent on your server for which you want to configure the application protection feature is online. For more information about how to view the status of the Security Center agent, see Change the protection status of a server. For more information about how to troubleshoot issues that cause the status of the Security Center agent becomes offline, see Use the agent troubleshooting feature.
  • The AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies are attached to the RAM user if the RAM user is used. For more information about how to grant permissions to a RAM user, see Grant permissions to the RAM user.

Configure and enable the application protection feature

Step 1: Add an application

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Application Protection.
  2. If this is the first time that you use the application protection feature, click Activate Now.
    If your Security Center runs the Basic or Anti-virus edition, you must upgrade your Security Center to the Advanced, Enterprise, or Ultimate edition after you click Activate Now. After you upgrade your Security Center, return to the Application Protection page and click Activate Now to go to the Application Protection page.
  3. On the Application Protection page, click the Configuration tab.
  4. Click New application. In the dialog box that appears, enter a name and remarks for the application that you want to add and click OK.

    After you add an application, the default policy is applied to the application. The default protection mode is Monitor. You can click Protection strategy in the Operation column to view the information about the default policy. If you do not want to use the default policy, you can perform the following steps to change the policy:

    1. In the application list of the Configuration tab, find the application and click Protection strategy in the Operation column.
    2. In the Protection strategy panel, modify the parameters and click OK.
      Parameter Description
      Protection Mode The protection mode for the application. Valid values:
      • Monitor: monitors attacks. The running of the application is not affected. If an attack is detected, an alert is generated. For this alert, Processing method is Monitor.
      • Block: monitors and blocks attacks, and monitors high-risk operations on the application. If an attack is blocked, an alert is generated. For this alert, Processing method is Block.
      • Disable: disables the application protection feature for the application. No attacks are monitored or blocked.
      Detection timeout The maximum period for attack detection. Valid values: 1 to 60000. Unit: milliseconds. Default value: 300. After the specified period elapses, the original business logic continues even if the detection logic is not complete. We recommend that you use the default value.
      SOURCE IP judgment method

      The method to obtain source IP addresses. If you select Default, the system obtains source IP addresses based on the values of standard request headers that record source IP addresses. The standard request headers include X-Real-IP, True-Client-IP, and X-Forwarded-For.

      If you select Taken from the value that defines the header, the system preferentially obtains source IP addresses based on the values of custom headers. If the system cannot obtain source IP addresses based on the values of custom headers, the value Default takes effect.
      Detection type The types of attacks to detect. We recommend that you retain the default settings. To retain the default settings, select All Selection. For more information about the types of attacks, see Attack types.

Step 2: Enable the application security feature for an application or a container

  1. In the application list of the Configuration tab, find the application and click Access Management in the Operation column.
  2. In the Access Management panel, click the Host Access Guide or Add Container tab. Then, perform the steps that are described on the tabs to install the RASP agent and restart the application or container.
    Alternatively, you can click Push RASP Agent on the Push Record tab to push the RASP agent to the server on which the application runs and install the agent on the server.
    Note The following list describes the compatibility of the RASP agent:
    • JDK: The JDK version must be 6 or later.
    • Middleware server: The agent does not have specific requirements for the type and version of middleware. Supported middleware includes but is not limited to the following types: Tomcat, Spring Boot, JBoos, WildFly, Jetty, Resin, Oracle WebLogic Server, WebSphere Application Server, WebSphere Liberty, Netty, GlassFish, and middleware developed by Chinese vendors.
    • Operating system: Linux, Windows, and macOS operating systems are supported.
    Before you restart an application or a container, you must complete related deployment based on the runtime environment of the application or container. The following table describes the parameter settings for deployment in different runtime environments. The parameters refer to the JVM parameters that are used to manually deploy an application. If the middleware of your application is not listed in the table, you can Submit a ticket to contact technical support.
    Runtime environment Parameter settings
    Tomcat on Linux

    Add the following configurations to the {TOMCAT_HOME}/bin/setenv.sh file:

    JAVA_OPTS="$JAVA_OPTS -javaagent:/{user.workspace}/rasp/rasp.jar"

    If your Tomcat version does not support the setenv.sh configuration file, open the {TOMCAT_HOME}/bin/catalina.sh file and append the preceding configurations to JAVA_OPTS.

    Tomcat on Windows
    Add the following configurations to the {TOMCAT_HOME}/bin/catalina.bat file:
    set "JAVA_OPTS=%JAVA_OPTS% -javaagent:/{user.workspace}/rasp/rasp.jar" 
    If the preceding configurations do not take effect, add the following configurations to the {TOMCAT_HOME}/bin/catalina.bat file:
    set "CATALINA_OPTS=-javaagent:/{user.workspace}/rasp/rasp.jar"
    Jetty
    Add the following configurations to the {JETTY_HOME}/start.ini configuration file:
    --exec -javaagent:/{user.workspace}/rasp/rasp.jar
    Spring Boot Add the -javaagent parameter to the startup command for the Spring Boot process.
    java -javaagent:/{user.workspace}/rasp/rasp.jar

    If you no longer want to use the application security feature to protect your application or container, you can uninstall the RASP agent. To uninstall the RASP agent, perform the steps described on the RASP Agent Uninstallation tab.

View the details about an alert event

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Application Protection.
  2. On the Application Protection page, click the Alert tab to view the details about alert events.

    On the Alert tab, the doughnut charts display the behavior of applications after the application protection feature is enabled for the applications and the statistics of attacks on the applications. The list in the lower part of the page displays the details about each attack. The details include the type, URL, behavior data, and handling method of an attack.

    • View statistics of application behavior

      The Applied behavior statistics section displays the application behavior that is monitored by the application protection feature and the behavior types. The behavior types are normal behavior and attacks.

    • View attack statistics

      The Attack statistics section displays the attacks that are detected by the application protection feature and the attack types.

    • View attack details

      The list in the lower part of the Application Protection page displays the details about each attack. You can view the time, type, URL, behavior data, and handling method of each attack in the list. You can also perform the following operations to view more information about an attack: Find the attack and click View in the Operation column. In the Details panel, view vulnerability details, request details, and server details.

Attack types

The following table describes the types of attacks that the application protection feature can detect and the solutions to defend against each type of attack.

Attack type Description Solution
JNI injection Java Native Interface (JNI) injection is a common method to bypass the RASP technology. After an attacker obtains the permissions to execute code, the attacker can use JNI functions to call external malicious dynamic-link libraries. This way, the attacker can bypass the security protection at the Java layer and conceal specific malicious behavior. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
SQL injection An SQL injection attack inserts SQL statements into the query strings of web requests or web forms and induces the server to execute the SQL statements. An attacker can obtain the data on websites on which security vulnerabilities exist by inserting SQL statements into web forms. SQL injection is caused by concatenating SQL statements. Precompile input parameters or use whitelists and blacklists to limit concatenated parameters.
XXE XXE injection is short for XML external entity injection. If an XML file references an external entity, an attacker can construct malicious content to cause arbitrary file reads, command execution, and internal network attacks. Check whether your application needs to load external entities when it parses XML files. If not, disable external entities in the XML parsing configuration.
Malicious DNS query An attacker can use multiple methods to exploit malicious Domain Name System (DNS) queries. An attacker is likely to use the DNS protocol to bring sensitive information out of internal networks. The attacker may also use the DNS protocol to check whether an internal network system has vulnerabilities such as Server-Side Request Forgery (SSRF) and Java Naming and Directory Interface (JNDI) injection. Malicious DNS queries are caused by server requests for user-controlled parameters. Check parameter settings and configure whitelists.
Malicious reflection call The self-protection module of RASP prohibits attackers from using reflection to modify RASP data during runtime. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
SSRF SSRF is a web vulnerability that allows an attacker to attack the internal system of a website by inducing a server-side application to make HTTP requests. SSRF is caused by server requests for input parameters. Check parameter settings and configure whitelists.
Malicious file read and write Java provides the RandomAccessFile class for file read and write operations. If you use this class to read and write files but you do not restrict the file path or file content, an attacker may read sensitive system files or upload trojan files. Check whether you can read and upload files as expected. If an exception occurs, check the function code and configure blacklists.
Malicious file upload For the file upload feature provided by a website, if the types of files are not restricted, an attacker may obtain higher permissions on the server by uploading trojan files. This causes serious harm. Restrict the types of files that can be uploaded and prohibit uploading files with execute permissions, such as Jakarta Server Pages (JSP) files.
Command execution A command execution vulnerability allows an attacker to execute arbitrary system commands on a server. In most cases, remote command execution is caused by webshells or the risky code of a server. Check the location where commands are executed. If command execution is caused by webshells, delete the webshells in time. If commands are executed to implement normal features on a server, configure whitelists to limit the commands that can be executed.
Directory traversal The directories of a website may be browsed arbitrarily due to the configuration defects of the website. This results in the disclosure of privacy information. An attacker can use the disclosed information to attack the website. Check whether the website directories can be traversed as expected. If an exception occurs, check the function code and configure blacklists to restrict related commands, such as "./" and "../".
Memory horse injection Memory horse is an emerging trojan horse technique. An attacker can inject trojans into memory by some special technical means, which can effectively bypass the detection of Web Application Firewall (WAF) and host defense. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
Arbitrary file read For the file download and read feature provided by a website, if files are read and downloaded by using an absolute path or a directory traversal character and file paths are not restricted, an attacker can exploit this vulnerability to obtain sensitive information and attack the server. Check whether you can read files as expected. If an exception occurs, check the function code and configure blacklists to restrict the input parameters, such as "./" and "../".
Weak database password If a database password is weak, an attacker can obtain the password by initiating brute-force attacks. Then, the attacker can steal data from the database and obtain system permissions. Use a more complex password.
Thread injection Thread injection is a common method to bypass the RASP technology. If an attacker obtains the permissions to execute code, the attacker can create a thread to cause RASP to lose the context of the runtime environment. In this case, the defense capability of RASP is compromised. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
Malicious Attach API The Attach API is a Java technology that can be used to dynamically modify the bytecode of applications that are running. An attacker can use the technology to inject agent-type memory horses. This method is highly deceptive. Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
JNDI injection If an application initiates a JNDI query but the query URL is controlled by an attacker, the attacker can induce the server on which the application runs to query malicious links and load malicious classes. This results in arbitrary code execution on the server.
  • If this vulnerability is caused by third-party components, you must upgrade the components at the earliest opportunity.
  • If this vulnerability is caused by self-written code for JNDI queries, you must restrict the query URLs to prohibit queries over insecure protocols.
Usage of insecure protocols If the URL that a server accesses is user-controllable and the URL protocol is not restricted on your application, an attacker can read sensitive files on the server over insecure protocols such as File and NetDoc. Restrict URL protocols.
Deserialization attack Java deserialization is a process of restoring a sequence of bytes into a Java object. If the Java object contains code that can cause high risks, an attacker can control the member variables of the Java object to initiate attacks during the deserialization process.
  • Upgrade the components on which vulnerabilities are detected at the earliest opportunity.
  • If no official versions of the components that have vulnerabilities fixed are released, temporarily disable the deserialization.

FAQ

What types of applications can be protected by the application protection feature?

Only Java applications can be protected by the application protection feature.

Does the application protection feature affect the running of applications?

The impact on running applications is almost negligible because the application protection feature provides good control over performance, compatibility, and stability. In actual tests, the CPU overhead is less than 1%, the memory overhead is less than 30 MB, and the response time (RT) is less than 1 ms. The application protection feature provides the protection modes of Monitor, Block, and Disable and also provides the soft fuse mechanism. This minimizes interference to running applications.

How do I use the application protection feature to protect applications?

The application protection feature provides a lower false positive rate on attack detection than traditional detection techniques that are based on traffic characteristics. We recommend that you attach importance to the attacks detected by the application protection feature. After the application protection feature is enabled for an application, Monitor is selected as the protection mode by default. After the application runs stably for a period of time, you can change the protection mode from Monitor to Block.

Why is no attack data displayed on the Application security page?

This issue may be caused by the following reasons:
  • The application is not protected by the application security feature. After you click Access management in the Operation column for an application and install the RASP agent on the processes related to the application in accordance with related guides, you do not restart the processes, or you restart only some processes.
  • No real attacks are detected. Unlike traditional firewalls, the application protection feature records only real attacks. Traditional firewalls report attacks when the presence of malicious attack characteristics in packets is detected. However, the presence of malicious attack characteristics does not indicate real attacks. For example, the attack requests that exploit PHP vulnerabilities are ineffective in the Java environment. If a real attack is detected, the attacker has broken through the outer defense and can enter the internal environment of the application to perform risky operations. An application may not have a large number of real attacks. However, you must intercept attacks or fix vulnerabilities in a timely manner when real attacks are detected.