Web Application Firewall (WAF) provides the asset discovery feature. This feature
identifies domain names in and outside the cloud and calculates the security scores
of the domain names. This feature helps you monitor the overall situation of all domain
names. You can enable protection for the domain names that have low security scores.
This improves the overall security of your business system.
Prerequisites
A WAF instance that resides in mainland China is purchased. For more information,
see Purchase a WAF instance.
Notice Only WAF instances that reside in mainland China support the asset discovery feature.
Background information
Network application assets are the most important carrier of network applications
in a security management system and are the most fundamental components in a business
system. As enterprise business rapidly develops, more business systems are used. A
single enterprise may have multiple business systems, and employees may forget to
release resources after they build websites or test environments. As a result, business
systems may contain unmanaged zombie assets. The most vulnerable part of a business
system determines the overall security of the system. In most cases, zombie assets
use outdated versions of open source systems, components, or web frameworks, which
have common vulnerabilities. Attackers can exploit these vulnerabilities to invade
the internal network of an enterprise.
The asset discovery feature can obtain the configurations of Alibaba Cloud services,
such as Domains, SSL Certificates Service, and Alibaba Cloud DNS. Then, the feature,
together with big data-enabled correlation analysis, can identify domain names in
and outside the cloud based on the obtained configurations. This way, you can monitor
the overall situation of all the domain names and make sure that all domain names
are protected. The asset discovery feature calculates the security scores of domain
names based on threat intelligence and the default attack detection capability of
Alibaba Cloud. This way, you can identify the domain names that are vulnerable to
attacks. Then, you can add the domain names to WAF to prevent attacks.
Note The asset discovery feature can identify domain names from Alibaba Cloud and third-party
providers. The domain names from third-party providers include the domain names of
servers from third-party providers and the domain names of servers that are deployed
in data centers.
View domain names
- Log on to the Web Application Firewall console.
- In the top navigation bar, select Mainland China.
Notice Only WAF instances that reside in mainland China support the asset discovery feature.
- In the left-side navigation pane, choose .
- Authorize WAF to access cloud resources.
Before you can use the asset discovery feature of WAF, you must authorize WAF to obtain
the website information from cloud services in your Alibaba Cloud account. You must
also authorize WAF to manage the Domain Name System (DNS) records of the domain names
that are hosted in Alibaba Cloud DNS. Alibaba Cloud automatically creates the AliyunServiceRoleForWAF
service-linked role. This role allows WAF to access cloud resources. You need to perform
authorization only once.
If you have performed authorization, skip this step.
- Click Authorized activation.

- In the Tips message, click OK.

After you click
OK, Alibaba Cloud automatically creates the AliyunServiceRoleForWAF service-linked role.
To view the service-linked role, log on to the
RAM console and choose in the left-side navigation pane. After Alibaba Cloud creates the service-linked
role AliyunServiceRoleForWAF, your WAF instance can access the associated cloud resources,
such as
ECS instances, ALB and CLB instances of SLB, Alibaba Cloud DNS, Alibaba Cloud CDN,
SSL Certificates Service, and Log Service.

After WAF is authorized to access cloud resources, WAF automatically discovers domain
names in your Alibaba Cloud account and displays the domain names on the Asset Discovery page.
- On the Asset Discovery page, view the domain names that are discovered by WAF.

WAF aggregates the domain names based on the second-level domain names and displays
the aggregated domain names in a list. You can perform the following operations to
view domain names:
- Specify a protection state above the list of domain names to search for domain names.
Unprotected, Partial Protection, and Protected are supported.

- Enter a keyword in the search box above the list of domain names to search for domain
names. Fuzzy match is supported.
- In the list of domain names , click the
icon to the right of a second-level domain name to show all subdomains that belong
to the second-level domain name. Then, you can view the asset information about each
subdomain. Example of a second-level domain name: example.com. Example of a subdomain:
www.example.com.
The following table describes the information of each domain name.
Parameter |
Description |
Domain Name |
The domain name of the website. |
Server IP |
The IP address and CNAME of the origin server. |
Port |
The port that is used by the origin server. |
Protocol |
The protocol that is used by the origin server. HTTP and HTTPS are supported. |
Fingerprint |
The fingerprint of the origin server. The fingerprint contains the following information:
- Programming language, such as Java, PHP, or ASP
- Middleware, such as NGINX, Apache, or Tomcat
- Open source or commercial application, such as WordPress, DedeCMS, or Discuz!
- Development framework, such as ThinkPHP or Django
- Component, such as Apache Shiro or Apereo CAS
|
Security Score |
The security score of the domain name. The score is a weighted security score, which
is calculated based on the trend of attacks in the cloud within the last 30 days and
threat intelligence.
A lower security score indicates a higher risk. If your domain name has a low security
score, we recommend that you add your domain name to WAF at the earliest opportunity.
|
Protection Status |
Indicates whether the domain name is protected by WAF. Valid values:
- Unprotected: The domain name is not added to WAF. In this case, we recommend that you enable
protection for the domain name. For more information, see Enable protection for a domain name.
- Partial Protection: This state is available only for wildcard domain names, such as *.example.com. In
this state, some domain names that belong to a wildcard domain name are protected
by WAF. In this case, we recommend that you add the unprotected domain names that
belong to the wildcard domain name to WAF at the earliest opportunity.
- Protected: The domain name is protected by WAF. WAF detects the traffic that is destined for
the domain name and protects the domain name. You can view the asset details of the
domain name. For more information, see View asset details.
|
Enable protection for a domain name
If a domain name in the asset list is in the Unprotected state and the domain name belongs to your Alibaba Cloud account, you can click Add for Protection in the Operation column to add the domain name to WAF for protection. To check whether the domain
name belongs to your Alibaba Cloud account, log on to the Domains console and check whether the domain name is displayed on the Domain Name List page. If the domain name is displayed on the page, the domain name belongs to your
Alibaba Cloud account.
Note If the The wildcard domain is used by another user. message appears when you add a domain name, the wildcard domain name to which the
domain name belongs is added to WAF by using another Alibaba Cloud account. You do
not need to add the domain name. For example, the domain name www.example.com belongs
to the wildcard domain name *.example.com. If the wildcard domain name *.example.com
is added to WAF, you do not need to add the domain name www.example.com to WAF.
View asset details
If a domain name is in the Protected state, you can click Asset Details in the Operation column to view the details about the domain name.

The asset details page contains the following sections:
- General Information: This section displays Domain Name, Protocol, Protection Status, and Server IP.
- URL Tree:
WAF analyzes and classifies the URLs of protected domain names based on the amount
and characteristics of traffic collected by WAF. The URLs and parameters in the URLs
are aggregated based on data normalization. For example, WAF aggregates the URLs of
the following news sites to a URL in the
/{Characters+Digits}.html
format:
- /news1234.html
- /oldnews1223.html
- /news1224.html
- /news124.html
In the
URL Tree section, you can view the aggregation results. The results include the URLs, the
parameters in each URL, the value type of each parameter, and the number of times
that each URL is requested within the last day.
Note Only the paths in URLs in the site tree are displayed. By default, a maximum path
depth of three is allowed in the displayed URLs. The URLs are sorted in descending
order of request frequency.
In this section, you can perform the following operations:
- To search for URLs, select URL or File Extension from the drop-down list. Then, enter a keyword and click Search.
- In the URL column, click the URL for which the
icon is displayed to show the information about the URL.
- In the Parameter|Data Type column, view the names and value types of the parameters that are specified in a
URL.
Note The parameter information is aggregated. By default, the names and value types of
only three parameters are displayed. You can move the pointer over the

icon in the lower-right corner to view all the parameters.