This document describes how to configure protection rules in Web Application Firewall (WAF) to defend against web attacks.
Overview
WAF uses a regex-based rule protection engine and a machine learning-based AI protection engine to defend against web vulnerabilities and unknown threats.
WAF's rule protection engine provides expert rule sets based on Tencent Security's accumulated web threat intelligence to automatically prevent OWASP top 10 attacks. Currently, it can defend against 17 categories of common web attacks, such as SQL injections, XSS attacks, malicious scanning, command injection attacks, web application vulnerabilities, WebShell uploads, non-compliant protocols, and trojans.
WAF's rule protection engine supports rule level configuration. You can set the rule protection level according to your actual business needs and enable or disable rule sets, individual rules, and preset rules. You can also use the allowlist of specified URLs and rule IDs to process false positives.
Directions
Viewing the rule category
1. Log in to the WAF console and select Service Management > Web Rule Library on the left sidebar.
2. On the Protection rules tab, you can view the descriptions and rule updates of the attack categories that WAF currently can defend against.
Attack categories that WAF currently can defend against include:
Attack Category
Attack Description
SQL injection attack
In the implementation of websites, the input parameters are not strictly filtered, resulting in the unauthorized acquisition of SQL database content.
XSS attack
XSS vulnerabilities occur when the application's new webpage contains untrusted data or data that is not properly validated or escaped, or when an existing webpage is updated using a browser API that can create HTML or JavaScript. XSS enables attackers to execute scripts in victims' browsers, hijack user sessions, destroy websites, or redirect users to malicious sites.
Malicious scanning
WAF can detect whether the website has been maliciously scanned.
Unauthorized access to core files
WAF can detect whether certain configuration files, database files, and parameter data are downloadable at will.
Open-source component vulnerability exploiting
Attacks caused by vulnerabilities in common open-source web components.
Command injection attack
This is a type of injection attacks, such as shell command injections, PHP code injections, and Java code injections, which can cause websites to execute the injected code if successfully exploited by attackers.
Web application vulnerability exploiting
Web application security (security of Java, ActiveX, PHP, and ASP code running on the web server).
XXE attack
If the XML processor has external entity references in the XML file, attackers can use external entities to steal internal files and shared files that use the URI file processor, monitor internal scanning ports, execute remote code, and implement denial of service attacks.
Trojan horse attack
WAF can detect the communication with the control terminal during or after trojan upload.
File upload attack
After a malicious script disguised as a file with a normal extension is uploaded, attackers can execute it through the local file inclusion vulnerability.
Other vulnerability exploiting
Attacks caused by the security configuration or vulnerabilities of the web server itself and other software.
Non-compliant protocol
Exceptions with HTTP protocol and header parameters.
3. You can view the rule updates on the right of the Protection rules tab. For more security notifications, please see Security Advisory.
Rule management
1. Log in to the WAF console and select Configuration Center > Basic Security on the left sidebar.
2. On the page that appears, click Web security. On the Rule engine tab, you can enable individual rules based on domain names. All rules are enabled by default.
3. You can search in the rule set by specifying the rule level, defense level, rule ID, attack category, or CVE number to view specific rules and perform operations.
Note:
The level "Strict" covers rules of the level "Normal" and "Loose", and "Normal" covers "Loose".
Rule allowlist and false positive processing
1. Log in to the WAF console and select Configuration Center > Basic Security on the left sidebar.
2. On the basic security page, click Web security. On the "Rule engine" tab, you can add domain name URLs and rule IDs to the allowlist and process false positives.
3. On the Rule engine tab, select the target rule, click Add to allowlist, and the custom rule adding window will pop up.
4. In the pop-up window, configure relevant parameters and click OK.
Field description
Rule ID: ID of the rule that needs to be allowed. You can add one rule ID for each policy.
Match method: Match method of the URL to be allowed. You can select "Exact match" (default value), "Prefix match", or "Suffix match".
URL: URL path to be allowed. The URL must be unique under one domain name.
Enable allowlist: It controls whether to enable allowlist, which is disabled by default.
5. After the allowlist is configured, click View allowlist to view the allowed rules and perform relevant operations.
Field description:
Rule ID: ID of the rule added to the allowlist, which can be obtained through attack logs or rule management.
Match method: Match method of the URL to be allowed. You can select "Exact match" (default value), "Prefix match", or "Suffix match".
URL: URL path to be allowed. The URL must be unique under one domain name.
Enable allowlist: It controls whether to enable allowlist.
Last modified: The last time the rule was added or modified.
Operation: It allows you to edit or delete a rule.
Click Edit, modify relevant parameters, and click OK.
