- What's New
- Function Overview
-
Product Bulletin
- Java Spring Framework Remote Code Execution Vulnerability
- Apache Dubbo Deserialization Vulnerability
- DoS Vulnerability in the Open-Source Component Fastjson
- Remote Code Execution Vulnerability of Fastjson
- Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)
- Service Overview
- Billing
- Getting Started
-
User Guide
- Creating a User Group and Granting Permissions
- Buying WAF
- Connecting a Website to WAF
- Viewing Protection Events
-
Configuring Protection Policies
- Protection Configuration Overview
- Configuring Basic Web Protection to Defend Against Common Web Attacks
- Configuring CC Attack Protection Rules to Defend Against CC Attacks
- Configuring Custom Precise Protection Rules
- Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses
- Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
- Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
- Configuring Anti-Crawler Rules
- Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage
- Configuring a Global Protection Whitelist Rule to Ignore False Alarms
- Configuring Data Masking Rules to Prevent Privacy Information Leakage
- Creating a Reference Table to Configure Protection Metrics in Batches
- Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration
- Condition Field Description
- Application Types WAF Can Protect
- Viewing the Dashboard Page
- Website Settings
- Policy Management
- Object Management
- System Management
- Permissions Management
- Monitoring and Auditing
-
Best Practices
- Website Access Configuration
- Website Protection Configuration Suggestions
-
Mitigating Web Security Vulnerabilities
- Java Spring Framework Remote Code Execution Vulnerability
- Apache Dubbo Deserialization Vulnerability
- DoS Vulnerability in the Open-Source Component Fastjson
- Remote Code Execution Vulnerability of Fastjson
- Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)
- Defending Against Challenge Collapsar (CC) Attacks
- Using WAF to Block Crawler Attacks
- Verifying a Global Protection Whitelist Rule by Simulating Requests with Postman
- Combining WAF and HSS to Improve Web Page Tampering Protection
- Configuring Origin Server Security
- Obtaining the Real Client IP Addresses
-
API Reference
- Before You Start
- API Overview
- API Calling
-
APIs
-
Managing Websites Protected by Dedicated WAF Engines
- Querying the List of Domain Names Protected by Dedicated WAF Instances
- Adding a Domain Name to a Dedicated WAF Instance
- Modifying a Domain Name Protected by a Dedicated WAF Instance
- Querying Domain Name Settings in Dedicated Mode
- Deleting a Domain Name from a Dedicated WAF Instance
- Modifying the Protection Status of a Domain Name in Dedicated Mode
-
Rule Management
- Changing the Status of a Rule
- Querying CC Attack Protection Rules
- Creating a CC Attack Protection Rule
- Querying a CC Attack Protection Rule by ID
- Updating a CC Attack Protection Rule
- Deleting a CC Attack Protection Rule
- Querying the List of Precise Protection Rules
- Creating a precise protection rule
- Querying a Precise Protection Rule by ID
- Updating a precise protection rule
- Deleting a precise protection rule
- Creating a Global Protection Whitelist (Formerly False Alarm Masking) Rule
- Querying the List of Global Protection Whitelist (Formerly False Alarm Masking) Rules
- Updating a Global Protection Whitelist (Formerly False Alarm Masking) Rule
- Deleting a Global Protection Whitelist (Formerly False Alarm Masking) Rule
- Querying the Blacklist and Whitelist Rule List
- Creating a Blacklist/Whitelist Rule
- Querying a blacklist or whitelist rule
- Updating a Blacklist or Whitelist Protection Rule
- Querying Global Protection Whitelist (Formerly False Alarm Masking) Rules
- Deleting a Blacklist or Whitelist Rule
- Querying the JavaScript Anti-Crawler Rule List
- Updating a JavaScript Anti-Crawler Protection Rule
- Creating a JavaScript Anti-Crawler Rule
- Querying a JavaScript Anti-Crawler Rule
- Updating a JavaScript Anti-Crawler Rule
- Deleting a JavaScript Anti-Crawler Rule
- Querying the list of Data Masking Rules.
- Creating a Data Masking Rule
- Querying a Data Masking Rule
- Updating a Data Masking Rule
- Deleting a Data Masking Rule
- Querying the List of Known Attack Source Rules
- Creating a Known Attack Source Rule
- Querying a Known Attack Source Rule by ID
- Updating a Known Attack Source Rule
- Deleting a Known Attack Source Rule
- Querying the List of Geolocation Access Control Rules
- Creating a Geolocation Access Control Rule
- Querying a Geolocation Access Control Rule by ID.
- Updating a Geolocation Access Control Rule
- Deleting a Geolocation Access Control Rule
- Querying the List of Web Tamper Protection Rules
- Creating a Web Tamper Protection Rule
- Querying a Web Tamper Protection Rule
- Deleting a Web Tamper Protection Rule
- Updating the Cache for a Web Tamper Protection Rule
- Querying the List of Information Leakage Prevention Rules
- Creating an Information Leakage Prevention Rule
- Querying an Information Leakage Prevention Rule
- Updating an Information Leakage Prevention Rule
- Deleting an Information Leakage Prevention Rule
- Querying the Reference Table List
- Creating a Reference Table
- Querying a Reference Table
- Modifying a Reference Table
- Deleting a Reference Table
- Address Group Management
- Certificate Management
- Event Management
- Dashboard
- Dedicated Instance Management
- Log Reporting
- Managing Your Subscriptions
- System Management
- Alarm Management
-
Protected Website Management in Cloud Mode
- Querying the List of Domain Names Protected in Cloud Mode
- Adding a Domain Name to the Cloud WAF
- Querying Details About a Domain Name by Domain Name ID in Cloud Mode
- Updating Configurations of Domain Names Protected with Cloud WAF
- Deleting a Domain Name from the Cloud WAF
- Changing the Protection Status of a Domain Name
- Querying the Domain Name of a Tenant
- Policy management
-
Managing Websites Protected by Dedicated WAF Engines
- Appendix
- Change History
- SDK Reference
-
FAQs
-
About WAF
- WAF Basics
- Can WAF Protect an IP Address?
- What Objects Does WAF Protect?
- Does WAF Block Customized POST Requests?
- What Are the Differences Between the Web Tamper Protection Functions of WAF and HSS?
- Which Web Service Framework Protocols Does WAF Support?
- Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?
- What Are the Differences Between WAF Forwarding and Nginx Forwarding?
- What Are the Differences Between WAF and CFW?
- Can I Configure Session Cookies in WAF?
- How Does WAF Detect SQL Injection, XSS, and PHP Injection Attacks?
- Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)?
- Why Does the Vulnerability Scanning Tool Report Disabled Non-standard Ports for My WAF-Protected Website?
- What Are the Restrictions on Using WAF in Enterprise Projects?
- Will Traffic Be Permitted After WAF Is Switched to the Bypassed Mode?
- What Are Local File Inclusion and Remote File Inclusion?
- What Is the Difference Between QPS and the Number of Requests?
- Does WAF Support Custom Authorization Policies?
- Why Do Cookies Contain the HWWAFSESID or HWWAFSESTIME field?
- Can I Switch Between the WAF Cloud Mode and Dedicated Mode?
- What Are Regions and AZs?
- Can I Use WAF Across Regions?
-
About Purchase and Specifications Change
- What Are the Differences Between the Permissions of an Account and Those of IAM Users?
- Can I Share My WAF with Other Accounts?
- How Does WAF Calculate Domain Name Quota Usage?
- Can I Add More Protection Rules?
- What Can I Do If the Website Traffic Exceeds the WAF Service Request Limit?
- What Are the Impacts When QPS Exceeds the Allowed Peak Rate?
- Can I Change WAF Specifications During Renewal?
- Where and When Can I Buy a Domain, QPS, or Rule Expansion Package?
- How Do I Select Service QPS When Purchasing WAF?
- Is Service QPS Calculated Based on Incoming Traffic or Outgoing Traffic?
- Does WAF Have a Limit on the Protection Bandwidth or Shared Bandwidth?
- Where Can I View the Inbound and Outbound Bandwidths of a Protected Website?
-
Website Connect Issues
- How Do I Configure Domain Names to Be Protected When Adding Domain Names?
- Do I Have to Configure the Same Port as That of the Origin Server When Adding a Website to WAF?
- How Do I Whitelist Back-to-Source IP Addresses of Cloud WAF?
- What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers?
- Does WAF Support Wildcard Domain Names?
- How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF?
- What Can I Do If the Message "Illegal server address" Is Displayed When I Add a Domain Name?
- Why Am I Seeing That My Domain Quota Is Insufficient When There Is Still Remaining Quota?
- Why Am I Seeing the "Someone else has already added this domain name. Please confirm that the domain name belongs to you" Error Message?
- Why Cannot I Select a Client Protocol When Adding a Domain Name?
- Can I Set the Origin Server Address to a CNAME Record If I Use Cloud WAF?
- How Do I Verify Domain Ownership Using Huawei Cloud DNS?
- What Are Impacts If No Subdomain Name and TXT Record Are Configured?
- Can I Access a Website Using an IP Address After a Domain Name Is Connected to WAF?
- How Can I Forward Requests Directly to the Origin Server Without Passing Through WAF?
-
Protection Rules
- Which Protection Levels Can Be Set for Basic Web Protection?
- What Is the Peak Rate of CC Attack Protection?
- When Is Cookie Used to Identify Users?
- What Are the Differences Between Rate Limit and Allowable Frequency in a CC Rule?
- Why Cannot the Verification Code Be Refreshed When Verification Code Is Configured in a CC Attack Protection Rule?
- Can I Batch Add IP Addresses to a Blacklist or Whitelist Rule?
- Can I Import or Export a Blacklist or Whitelist into or from WAF?
- Why Does a Requested Page Fail to Respond to the Client After the JavaScript-based Anti-Crawler Is Enabled?
- Is There Any Impact on Website Loading Speed If Other Crawler Check in Anti-Crawler Is Enabled?
- How Does JavaScript Anti-Crawler Detection Work?
- In Which Situations Will the WAF Policies Fail?
- How Do I Allow Requests from Only IP Addresses in a Specified Geographical Region?
- How Do I Allow Only Specified IP Addresses to Access Protected Websites?
- Which Protection Rules Are Included in the System-Generated Policy?
- Why Does the Page Fail to Be Refreshed After WTP Is Enabled?
- What Are the Differences Between Blacklist/Whitelist Rules and Precise Protection Rules on Blocking Access Requests from Specified IP Addresses?
- What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly?
- Certificate Management
-
Protection Event Logs
- Can I Obtain WAF Logs Using APIs?
- What Does "Mismatch" for "Protective Action" Mean in the Event List?
- How Does WAF Obtain the Real Client IP Address for a Request?
- How Long Can WAF Protection Logs Be Stored?
- Can I Query Protection Events of a Batch of Specified IP Addresses at Once?
- Will WAF Record Unblocked Events?
- Why Is the Traffic Statistics on WAF Inconsistent with That on the Origin Server?
- Why Is the Number of Logs on the Dashboard Page Inconsistent with That on the Configure Logs Tab?
- Why Is My Domain Name or IP Address Inaccessible?
- How Do I Fix an Incomplete Certificate Chain?
-
About WAF
-
Troubleshooting
- Troubleshooting Website Connection Exceptions
-
Troubleshooting Certificate and Cipher Suite Issues
- How Do I Fix an Incomplete Certificate Chain?
- Why Does My Certificate Not Match the Key?
- Why Are HTTPS Requests Denied on Some Mobile Phones?
- What Do I Do If the Protocol Is Not Supported and the Client and Server Do Not Support Common SSL Protocol Versions or Cipher Suites?
- Why Is the Bar Mitzvah Attack on SSL/TLS Detected?
- Troubleshooting Traffic Forwarding Exceptions
- Checking Whether Normal Requests Are Blocked Mistakenly
- Videos
- CC Attack
- Cross-Site Request Forgery (CSRF)
- Scanner
- Web Tamper Protection
- Cross-site Scripting (XSS) Attack
- SQL Injection
- Command Injection
- Code Injection
- Sensitive File Access
- Server-Side Request Forgery
- Web Shell
- Hotlinking
- Multi-pattern Matching
- Precise Protection
- Blacklist and Whitelist
- Intelligent Decoding
- Semantic Analysis-based Detection
- Rate Limit
- Anti-Crawler
- A Record
- SQL Injection Attack
- Non-standard Port
Show all
Basic Concepts
This document describes terms related to WAF.
CC Attack
Challenge Collapsar (CC) attacks are web attacks against web servers or applications. In CC attacks, attackers send a large amount of standard GET/POST requests to target system to exhaust web servers or applications. For example, attackers can send requests to URIs of databases or other resources to make the servers unable to respond to normal requests.
Cross-Site Request Forgery (CSRF)
CSRF, or XSRF is a common web attack. Attackers may trick the victim into submitting a malicious request that inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf. If the user is currently authenticated to the site, the site will have no way to distinguish between the forged request and a legitimate request sent by the victim, as browser requests always carry session cookies associated with the site.
Scanner
A scanner is a program that automatically detects security vulnerabilities on local or remote servers. It can quickly and accurately detect vulnerabilities of scanned targets and provide scanning results for users.
Web Tamper Protection
Web Tamper Protection (WTP) can protect your files, such as web pages, documents, images, and databases, in specific directories against tampering and sabotage from hackers and viruses.
Cross-site Scripting (XSS) Attack
XSS is a type of attack that exploits security vulnerabilities in web applications. The attacker injects auto-executed malicious code into webpages to steal user information when they visit the pages.
SQL Injection
SQL injection is a common web attack whereby attackers inject malicious SQL commands into query strings of backend databases for the victim web application to deceive the server into executing them. By exploiting these commands, the attacker can obtain sensitive information, add users, export files, or even gain the highest permissions to the database or system.
Command Injection
Command injection is a cyber attack that executes fabricated OS commands and escape from a blacklist by calling web APIs to attack services.
Code Injection
Code injection is an attack that exploits logic defects of web applications in input validation or code execution vulnerabilities of some script functions.
Sensitive File Access
Sensitive files, such as configuration files and permission management files related to the operating system and application service framework, are mission-critical data. If sensitive files are accessible through Internet requests, the services will be at risk.
Server-Side Request Forgery
Server-side request forgery (SSRF) is a web security vulnerability constructed by an attacker to form a request initiated by the server. Generally, the target of an SSRF attack is the internal system that cannot be accessed from the external network. If a server supports obtaining data from other server applications but not filters or restricts destination addresses, an SSRF vulnerability may be made by attackers.
Web Shell
A web shell is an attack script. After intruding into a website, an attacker adds an .asp, .php, .jsp, or .cgi script file with normal web page files. Then, the attacker accesses the file from a web browser and uses it as a backdoor to obtain a command execution environment for controlling the web server. So, web shells are also called backdoor tools.
Hotlinking
Hotlinking is an act that a crafty website links to files hosted on your servers, instead of storing files on their own servers. Generally, the crafty website links to large files, such as images and videos, as large files use much more bandwidth than small ones. So you have to pay for access traffic of the bad actors. They steal your server bandwidth, making your website slow.
Multi-pattern Matching
Multi-pattern matching is a highly efficient multi-mode matching algorithm that is used for feature detection of request traffic, which greatly improves the performance of the detection engine.
Precise Protection
You can create a custom precise protection rule that combines multiple common HTTP fields, such as the URL, IP, Params, Cookie, Referer, User-Agent, and Header. You can also combines logic conditions to block or allow traffic precisely.
Blacklist and Whitelist
The IP address whitelist includes trusted IP addresses. Requests from the trusted IP addresses are forwarded without inspection. The IP address blacklist includes malicious IP addresses. The traffic from these IP addresses is handled based on inspection policies.
Intelligent Decoding
This is a method that intelligently identifies multiple codes in a request for infinite multi-layer obfuscation and performs in-depth decoding to obtain the original attack intent of the attacker.
Semantic Analysis-based Detection
A syntax tree is constructed based on the semantic context to analyze and determine whether the payload is an attack payload.
Rate Limit
Access control policies are used to limit the access over a specific interface.
Anti-Crawler
An extensive crawler feature library is provided to detect many types of crawlers (search engines, scanners, script tools, and other crawlers).
A Record
An address (A) record maps a host name (or domain name) to the IP address of the server hosting the domain name.
SQL Injection Attack
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.
Non-standard Port
Non-standard ports are the ports other than ports 80 and 443.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.