1. What is a web application firewall?
Web application firewall protects the security and compliance of business traffic of websites and APPs, identifies malicious features of business traffic, extracts and analyzes malicious traffic, identifies and processes it, and returns normal and safe traffic to the source of the business server to protect the core business of the website. and data security.
The product architecture diagram of JD Cloud Web Application Firewall is as follows:
2. Common detection methods for web attacks?
There are three common detection methods for web attacks: rule detection, AI detection or semantic detection.
1. Rule detection: high efficiency and high recognition accuracy. Its form is regular expressions, and attacks are detected through regular expressions or combinations. For example: OWASP Top 10 security vulnerabilities, and their corresponding rule sets owasp top 10 rules set. Intercepting malicious attacks through rules has become the mainstream of major manufacturers. testing method. Currently, each major WAF manufacturer has its own set of security rules.
2.AI detection: Detect Web attacks through AI machine learning or deep learning algorithms. It can detect unknown threats. The disadvantage is low detection efficiency. It is generally used for offline detection. The false alarm rate is relatively high, depending on the algorithm model and training samples. wait.
3. Semantic detection: Detect attacks through syntax and lexical analysis of SQL or XSS injection. Due to the characteristics of the algorithm, the false positive rate is high and it is generally used for alarms and does not directly intercept business requests.
3. Characteristics of users and business scenarios on public cloud
Users on the public cloud include various industries, and business scenarios are characterized by diversity and complexity. For example, e-commerce and government cloud are common customers of the public cloud. A common set of rules can effectively meet the protection needs of users, but for specific characteristics Activity scenarios, such as coupon activities and key scenarios, require different sets of protection rules to be customized to meet the protection needs in special scenarios.
4. Solutions for polymorphic and complex business scenarios in the public cloud
1. Default rule group: Use a collection of rule groups to provide comprehensive security protection.
2. Rule group classification: Rule group levels are divided into loose, normal, and strict to meet the needs of different scenarios or the same scenario at different times.
3. Custom rule group: A customized defense strategy group for complex business scenarios with specific requirements. For example, a custom rule group specifically for SQL injection. When selecting rules, only select SQL injection rules.
4. False positive processing: Whiten the request characteristics through a whitelist or remove false positive rules in a custom rule group to handle false positives.
4.1 Default Rule Group
The web application attack protection engine is based on the built-in expert experience rule set to automatically defend the website against common web attacks such as SQL injection, XSS cross-site, webshell upload, command injection, backdoor isolation, illegal file requests, path traversal, and common application vulnerability attacks.
4.2 Rule group classification
Rule group levels are divided into relaxed, normal, and strict to meet the needs of different scenarios or the same scenario at different times.
For example, we set the rule group to the normal level in normal times, but during the restoration period, we can upgrade the rule group to the strict level to block more attack risks.
Normal level : Detects common web application attacks (selected by default).
Strict level : It is recommended to select this level when you need more strict protection against path traversal, SQL injection, and command execution.
Loose : You can choose this level when you find that there are many false interceptions or there are many uncontrollable user inputs in the business.
4.3 Custom rule group
Customized defense strategy groups are designed for complex business scenarios with specific requirements. For example, custom rule groups specifically for SQL injection. When selecting rules, only select SQL injection rules.
For example:
Select a rule group template and then delete the rules in the template or add new rules to the rule group;
Selected security rules
Security rules not added
4.4 Solve business false alarms
4.4.1 Custom rule group
Solve the problem of false positives by removing false positive rules from a custom rule group.
4.4.2 Whitelisting
Whiten false positive traffic based on request characteristics. The whitened traffic will be bypassed by WAF to solve the problem of false positives.
5. Main features of JD Cloud WAF rule detection engine
1. Comprehensive detection of HTTP packets in real time, and no omission detection of cross-package traffic;
2. Adaptive content parsing: Adaptively parses JSON, XML, Multipart and other data formats to improve detection accuracy;
3. Adaptive decoding: including URL, HTML, Base64, Unicode, hexadecimal, binary and other format decoding to improve the recall rate of detection;
4. Supports HPP parameter pollution and dependency injection attack protection, and adaptive SQL and XSS annotation.
The web version of Windows 12 deepin-IDE compiled by junior high school students was officially unveiled. It is known as "truly independently developed" QQ has achieved "three-terminal simultaneous updates", and the underlying NT architecture is based on Electron QQ for Linux officially released 3.2.0 "Father of Hongmeng" Wang Chenglu : Hongmeng PC version system will be launched next year to challenge ChatGPT, these 8 domestic AI large model products GitUI v0.24.0 are released, the default wallpaper of Ubuntu 23.10, a Git terminal written in Rust, is revealed, the "Tauren" in the maze JetBrains announces the WebStorm 2023.3 roadmap China Human Java Ecosystem, Solon v2.5.3 releasedAuthor: JD Technology Fan Pengfei
Source: JD Cloud Developer Community Please indicate the source when reprinting