Web Application Firewall:API security overview

Identity information

Contact and location

Finance and payment

Network and device identifiers

Credentials and keys

Enterprise and general identifiers

Security specifications

• Insecure HTTP methods

  • Risk level: Low

  • Risk description: This API uses insecure HTTP methods. An attacker can use these methods to probe server information or tamper with server data, for example, by using PUT to upload malicious files or DELETE to remove server resources.

  • Suggestion: Disable insecure HTTP methods such as PUT, DELETE, TRACE, and OPTIONS, based on your business needs.

• Weak JWT signature algorithm

  • Risk level: Low

  • Risk description: This API uses a weak JSON Web Token (JWT) signature algorithm.

  • Suggestion: Use a more secure signature algorithm such as RS256. Ensure the key is strong and that it is transmitted and stored securely.

• Parameter as URL

  • Risk level: Low

  • Risk description: A request parameter for this API contains a URL value. This can create a Server-Side Request Forgery (SSRF) risk.

  • Suggestion: Redesign the API to avoid using user-controlled URLs directly in parameters. Implement strict validation and filtering on parameter content.

Account security

• Password plaintext transmission

  • Risk level: Low

  • Risk description: This API transmits account passwords in plaintext. An attacker could intercept credentials during transmission through methods like sniffing, leading to account takeover.

  • Suggestion: Encrypt or hash password fields before transmission to prevent them from being intercepted.

• Weak password tolerance

  • Risk level: Low

  • Risk description: This logon API allows weak passwords. An attacker could exploit this to brute-force accounts.

  • Suggestion: Enforce a strong password policy. A strong password is at least 8 characters long and includes characters from at least three of the following categories: uppercase letters, lowercase letters, numbers, and symbols. Notify users with existing weak passwords to change them promptly.

• Weak password vulnerability in internal application

  • Risk level: High

  • Risk description: The logon API of this internal application allows weak passwords. An attacker could exploit this to brute-force accounts.

  • Suggestion: Enforce a strong password policy. A strong password is at least 8 characters long and includes characters from at least three of the following categories: uppercase letters, lowercase letters, numbers, and symbols. Notify users with existing weak passwords to change them promptly.

• Presence of default passwords

  • Risk level: Medium

  • Risk description: This application may have a default password. An attacker could use the default password to take over accounts where the password has not been changed.

  • Suggestion: For applications with default passwords, force a password change on the first logon. For existing accounts with default passwords, notify users to change them immediately.

• Return of plaintext password

  • Risk level: Low

  • Risk description: This API's response contains a plaintext password. An attacker could intercept user credentials during transmission, leading to account takeover.

  • Suggestion: Redesign the API to avoid returning plaintext passwords in responses.

• Password storage in cookies

  • Risk level: Low

  • Risk description: This API stores account password information in a cookie, where it can be easily stolen by an attacker.

  • Suggestion: Redesign the API to avoid storing sensitive credentials in cookies.

• Unrestricted logon

  • Risk level: Medium

  • Risk description: This logon API does not have a CAPTCHA or similar verification mechanism. An attacker could exploit this to perform unlimited brute-force attacks on passwords.

  • Suggestion: Add a verification mechanism, such as a CAPTCHA, especially after multiple failed logon attempts, to prevent brute-force attacks.

• Unreasonable logon failure prompt

  • Risk level: Low

  • Risk description: This API's logon failure prompt reveals whether a username exists. An attacker can use this information to enumerate valid accounts for further attacks.

  • Suggestion: When a logon fails, return a generic message like "Incorrect username or password" instead of revealing whether the username is valid.

• URL-based account password transmission

  • Risk level: Medium

  • Risk description: This API transmits account passwords in the URL. If the URL is compromised, the credentials are leaked. URLs are often recorded in server logs, referer headers, and browser history.

  • Suggestion: Use the POST method to transmit credential data in the request body.

Access control

• Internal application accessible from the Internet

  • Risk level: Low

  • Risk description: This API belongs to an internal application and is accessible from the Internet without access restrictions. This could allow attackers to exploit or attack the internal application.

  • Suggestion: Add an access control policy, such as an IP address whitelist, to restrict access sources.

• Unrestricted access sources

  • Risk level: Low

  • Risk description: This API is being accessed from sources (IP addresses or regions) outside its normal baseline.

  • Suggestion: Add an access control policy. Use IP blacklists and whitelists or the Location Blacklist feature to restrict access sources.

• Unrestricted access tools

  • Risk level: Low

  • Risk description: The client type used to access this API does not match the API's client access baseline.

  • Suggestion: Add an access control policy to restrict access tools and prevent attackers from using malicious scripts to attack the API or scrape data.

• Unrestricted access rate

  • Risk level: Low

  • Risk description: This API is accessed from a single IP address a certain number of times per minute.

  • Suggestion: Add a rate-limiting policy to control high-frequency access and prevent abuse.

Permission management

• Insufficiently random credentials

  • Risk level: Medium

  • Risk description: This API uses authentication credentials not sufficiently random and may be guessable. An attacker could brute-force these credentials to gain unauthorized or escalated access.

  • Suggestion: Increase the randomness of authentication credentials. Avoid using short or easily guessable formats.

• Unauthenticated access to sensitive API

  • Risk level: High

  • Risk description: This API, which contains high-sensitivity data, can be accessed without authentication. This could lead to a serious data leak.

  • Suggestion: Add a strict and comprehensive identity verification mechanism to prevent unauthorized use of the API.

• Unauthorized access to internal API

  • Risk level: High

  • Risk description: This API, which belongs to an internal application, can be accessed without authentication. This could lead to unauthorized use of internal services or an internal data leak.

  • Suggestion: Add a strict and comprehensive identity verification mechanism to prevent unauthorized use of the API.

• URL-based credential transmission

  • Risk level: Medium

  • Risk description: This API transmits authentication credentials in the URL. If the URL is compromised, the credentials can be abused. URLs are often recorded in server logs, referer headers, and browser history.

  • Suggestion: Use another method to transmit authentication credentials, such as custom headers, cookies, or the request body.

• AccessKey pair information leak

  • Risk level: High

  • Risk description: The response from this API contains an AccessKey ID and an AccessKey Secret, which could be exploited by an attacker.

  • Suggestion: Redesign the API to avoid returning AccessKey pair information. In addition, immediately disable or delete the leaked AccessKey pairs.

Data protection

• Excessive types of sensitive data in response

  • Risk level: Medium

  • Risk description: The response from this API contains an excessive number of sensitive data types. This may indicate unnecessary data exposure, increasing the risk of a data leak.

  • Suggestion: Review the business need for each data type returned. Mask important sensitive data and remove any data types that are not essential.

• Excessive sensitive data in response

  • Risk level: Medium

  • Risk description: The response from this API contains sensitive data and does not limit the amount of data returned. This could be exploited to cause a large-scale data leak.

  • Suggestion: Limit the amount of data returned in a single response based on your business needs. This prevents attackers from using the API to obtain large amounts of sensitive data.

• Inadequate data de-identification

  • Risk level: Medium

  • Risk description: The response from this API returns both a de-identified (masked) and a non-de-identified (plaintext) version of the same data, defeating the purpose of de-identification.

  • Suggestion: Review the sample data to confirm this risk. Ensure that data intended to be masked is not also exposed in plaintext elsewhere in the response.

• Sensitive server information leak

  • Risk level: High

  • Risk description: The response from this API contains sensitive server information. An attacker could use this information to plan an attack and gain control of the server.

  • Suggestion: Review the sample data to confirm the risk. Avoid returning internal server information directly to the client.

• Internal IP address leak

  • Risk level: Medium

  • Risk description: The response from this API appears to contain an internal IP address, leaking internal network information. An attacker could use this information to attack internal applications.

  • Suggestion: Redesign the API to prevent internal network information from being leaked in responses.

• URL-based sensitive data transmission

  • Risk level: Medium

  • Risk description: This API transmits high-sensitivity data in the URL. If the URL is compromised, a sensitive data leak may occur. URLs are often recorded in server logs, referer headers, and browser history.

  • Suggestion: Use the POST method and transmit sensitive data in the request body.

API design

• Request parameter traversability

  • Risk level: Low

  • Risk description: The request parameters for this API have a fixed and predictable format. An attacker could iterate through parameter values based on this pattern to access data in batches.

  • Suggestion: Increase the randomness of parameters. Avoid using simple, sequential, or easily guessable values such as short numbers.

• Modifiable volume of returned data

  • Risk level: Low

  • Risk description: A request parameter for this API controls the number of items returned and can be set to any value. An attacker could modify this parameter to obtain a large amount of data in a single request.

  • Suggestion: Add restrictions to this parameter. For example, provide only a few fixed options instead of allowing an arbitrary number, to prevent abuse.

• Database query

  • Risk level: High

  • Risk description: A request parameter for this API contains a database query statement. An attacker could use this API to execute arbitrary database operations, attack the database, or steal important data.

  • Suggestion: Redesign the API to avoid passing raw database query statements from the client. Implement strict validation and filtering on all parameters.

• Command execution API

  • Risk level: High

  • Risk description: A request parameter for this API contains a system command. An attacker could use this API to execute arbitrary system commands, gain control of the server, or steal important data.

  • Suggestion: Redesign the API to avoid passing raw command statements from the client. Implement strict validation and filtering on all parameters.

• Arbitrary SMS message sending

  • Risk level: Medium

  • Risk description: The request parameters of this SMS message sending API contain a phone number and message content. An attacker could use this API to send malicious messages to any phone number.

  • Suggestion: Redesign the API to use fixed message templates on the backend instead of accepting arbitrary content from the client.

• Arbitrary email content sending

  • Risk level: Medium

  • Risk description: The request parameters of this email sending API contain an email address and email content. An attacker could use this API to send malicious emails to any email address.

  • Suggestion: Redesign the API to use fixed email templates on the backend instead of accepting arbitrary content from the client.

• SMS message verification code leak

  • Risk level: High

  • Risk description: The response of this SMS sending API appears to contain the verification code itself. An attacker could use this API to directly obtain the verification code, bypassing the security check.

  • Suggestion: Do not return the verification code to the client. The verification process should be completed on the backend.

• Email verification code leak

  • Risk level: High

  • Risk description: The response of this email sending API appears to contain the verification code itself. An attacker could use this API to directly obtain the verification code, bypassing the security check.

  • Suggestion: Do not return the verification code to the client. The verification process should be completed on the backend.

• Specified file download

  • Risk level: Medium

  • Risk description: A request parameter for this file download API contains a file path. An attacker could modify this parameter to download arbitrary files and steal important data.

  • Suggestion: Redesign the API to prevent downloads using full file paths. Strictly validate and filter parameter content to prevent path traversal attacks.

• Application exception information leak

  • Risk level: Medium

  • Risk description: The response from this API contains application exception details. An attacker could use this information to learn about server application configurations and other sensitive details.

  • Suggestion: Improve the business exception handling mechanism. When an exception occurs, return a generic error message or redirect to a standard error page instead of leaking raw exception details.

• Database exception information leak

  • Risk level: Medium

  • Risk description: The response from this API contains database exception details. An attacker could use this information to learn about database query statements and table structures, enabling attacks like SQL injection.

  • Suggestion: Optimize the business exception handling mechanism. When an exception occurs, return a generic error message or redirect to a standard error page instead of leaking raw database exception details.

Custom

Custom risk detection rule

• Risk level: Custom level

• Risk description: This API matched a custom risk detection rule that you configured.

• Suggestion: Displays the content you entered in the policy configuration.

Baseline exception

• Abnormally high-frequency access

  • Event description: The access frequency is significantly higher than the daily baseline for this API, which may indicate malicious activities such as API abuse or HTTP flood attacks.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. Additionally, configure a rate-limiting policy based on the API's daily rate baseline.

• Access to internal API from unusual IP address

  • Event description: The source IP address does not match the API's daily access IP distribution baseline. This may indicate anomalous calling behavior.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. You can also configure an IP whitelist policy based on the API's daily IP distribution baseline and block access from other IP addresses to ensure reasonable use of API resources.

• Access to internal API from unusual location

  • Event description: The region of the IP address does not match the API's daily access region distribution baseline. This may indicate anomalous calling behavior.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. You can also configure a location blacklist policy based on the API's daily region distribution baseline to ensure reasonable use of API resources.

• Access using anomalous tools

  • Event description: The tool used for access does not match the API's daily access tool distribution baseline. This may indicate an anomalous call.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. You can also configure an ACL access control policy or enable the Bot Management module based on the API's daily access tool distribution baseline to ensure reasonable use of API resources.

• Access during unusual time period

  • Event description: The API was called during an anomalous time period, which may indicate an anomalous call.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist.

• Access using abnormal parameter values

  • Event description: The format of request parameters does not match the daily characteristics of requests to this API, which may indicate anomalous calling or an attack.

  • Suggestion: Review sample request data and log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. If a web attack is confirmed, use the Core Web Protection module to protect the API and ensure reasonable use of API resources.

Account risk

• Weak password-based logon to internal application

  • Event description: An IP address is suspected of using a weak password to log on to an internal application.

  • Suggestion: Check the log details to confirm if the logon was successful. For account services, enforce a stronger password policy. A strong password should typically include at least three of the following character types: uppercase letters, lowercase letters, digits, and symbols, and be at least 8 characters long. For existing accounts with weak passwords, notify users to change their passwords.

• Brute-force attack against username

  • Event description: An IP address made multiple logon attempts using a relatively fixed password while constantly changing the username. This suggests a username brute-force attack.

  • Suggestion: Check log details to see if any attempts were successful. Change passwords regularly and ensure no weak passwords are used. For logon services, add a verification code to limit logon attempts or configure a rate-limiting policy to ensure reasonable use of the logon API.

• Brute-force attack against password

  • Event description: An IP address made multiple logon attempts for a specific account while cycling through many different passwords. This is suspected to be a password brute-force attack.

  • Suggestion: Check log details to see if any attempts were successful. Change passwords regularly and ensure no weak passwords are used. For logon services, add a verification code to limit logon attempts or configure a rate-limiting policy to ensure reasonable use of the logon API.

• Dictionary attack

  • Event description: An IP address made multiple logon attempts using many different usernames and passwords. This suggests a dictionary attack.

  • Suggestion: Check log details to see if any attempts were successful. Change passwords regularly and ensure no weak passwords are used. For logon services, add a verification code to limit logon attempts or configure a rate-limiting policy to ensure reasonable use of the logon API.

• Brute-force attack against SMS message verification code

  • Event description: An IP address made multiple attempts to verify an SMS message code using many different codes. This is suspected to be a brute-force attack against the verification code.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. You can also configure a rate-limiting policy based on the API's daily rate distribution baseline to ensure reasonable use of API resources.

• Brute-force attack against email verification code

  • Event description: An IP address made multiple attempts to validate an email verification code using many different codes. This is suspected to be a brute-force attack against the verification code.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. You can also configure a rate-limiting policy based on the API's daily rate distribution baseline to ensure reasonable use of API resources.

• Batch registration

  • Event description: An IP address has made an unusual number of registration requests, which suggests a batch registration activity. This can lead to many spam accounts.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. You can also configure a rate-limiting policy based on the API's daily rate distribution baseline to ensure reasonable use of API resources.

API abuse

• Malicious consumption of SMS resources

  • Event description: An IP address made multiple requests to send SMS. This suggests malicious consumption of SMS resources or the use of the API for SMS flooding, which can cause business losses.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. You should also limit the frequency of sending SMS to a single phone number and configure a rate-limiting policy based on the API's daily rate distribution baseline to ensure reasonable use of API resources.

• Malicious consumption of email resources

  • Event description: An IP address made multiple requests to send emails, which is suspected to be a malicious attempt to consume email service resources or launch an email bombing attack. This could affect the stability of your email service.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. You should also limit the frequency of sending emails to a single mailbox and configure a rate-limiting policy based on the API's daily rate distribution baseline to ensure reasonable use of API resources.

• Batch download

  • Event description: An IP address has made an unusual number of data export or download requests, obtaining many files. This may pose a data leak risk.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. You can also configure a rate-limiting policy based on the API's daily rate distribution baseline to ensure reasonable use of API resources.

• Data crawling

  • Event description: An IP address called the API multiple times with traversing parameter values, which is suspected to be an attempt to crawl API data.

  • Suggestion: Investigate the log details to confirm the activity. For clearly malicious IP addresses, block them by configuring an IP blacklist. Increase the randomness of parameters based on your business needs. Avoid using simple and guessable parameter values, such as short numbers.

• API attack

  • Event description: An IP address launched a web attack against the API. All attacks have been blocked by the web attack protection module.

  • Suggestion: Analyze the IP behavior using the log details. For clearly malicious IP addresses, block them by configuring an IP blacklist.

Sensitive data leak

• Unauthorized access to sensitive data

  • Event description: An IP address is suspected of making an unauthorized call to the API and has obtained sensitive data, which may pose a data leak risk.

  • Suggestion: Investigate the log details to confirm the activity. For important APIs, implement a strict and complete identity authentication mechanism to prevent unauthorized or escalated use.

• Mass sensitive data access

  • Event description: An IP address called the API and obtained an unusually large amount of sensitive data, which may pose a data leak risk.

  • Suggestion: Investigate the log details to confirm the activity. De-identify important sensitive data where possible and remove unnecessary data types from the response. Additionally, configure a rate-limiting policy for the API.

• Mass sensitive data Access by IP addresses outside your country

  • Event description: An IP address from your country called the API and obtained multiple pieces of sensitive data. This may pose data breach and data compliance risks.

  • Suggestion: Investigate the log details to confirm the activity. Cross-border transmission of sensitive data may pose compliance risks. If there is a genuine business need for this transfer, we recommend conducting an assessment and complete any required declarations or filings.

Response exception

• Return of error message

  • Event description: During an API call, the API returned an exception error message, which could leak important information such as application configurations.

  • Suggestion: Investigate the log details to confirm whether the API is functioning normally. Optimize your application's exception handling to return a generic error message or redirect to a specified page, instead of returning raw exception details.

• Return of database error message

  • Event description: During an API call, the API returned a database error message, which could leak important information such as database query statements and table names.

  • Suggestion: Investigate the log details to confirm whether the API is functioning normally. Optimize your application's exception handling to return a generic error message or redirect to a specified page, instead of returning raw exception details.

• Return of sensitive system information

  • Event description: During an API call, the API returned important sensitive server information, posing a data leak risk.

  • Suggestion: Investigate the log details to confirm whether the returned data is expected. Avoid returning such data directly to the client.

• Abnormal response

  • Event description: During a series of API calls, the proportion of abnormal HTTP status codes in responses exceeded 80%, suggesting a possible issue with the origin server.

  • Suggestion: Investigate the log details and check your origin server logs to confirm whether the API is functioning normally.

Custom event

Custom event rule

• Event description: The API call from this IP address matched a custom event detection policy that you configured.

• Suggestion: Displays the content you entered in the policy configuration.