Cover Scene Description

1. Database: SQL injection

Covering the scene:

  • SQL injection from GET, POST, Header, JSON, Multipart and other parameters

  • Other types of SQL injection, such as secondary injection, RPC interface SQL injection

Coverage type:

  • Blind injection, UNION injection, time difference injection, error injection, multi-statement injection

  • SQL exception monitoring: such as syntax errors, password errors

2. Database: slow query (moved to APM)

Explanation: When obtaining data in SQL, it is more difficult to obtain SQL statements at the same time. At present, this detection point has been abandoned. In addition, we cannot distinguish between network time and SQL execution time, and it is difficult to confirm whether slow queries are really slow queries. This feature was moved to APM module

Expect to cover the scene

  • SELECT statement takes longer than N seconds

  • SELECT statement reads more than N data at a time (easy to false positive, such as data export)

3. Arbitrary file upload

Overlay scene

  • Upload script files by HTTP PUT, such as CVE-2017-12615

  • HTTP PUT + MOVE method, upload ordinary file first, and then rename it to script file

  • Upload script files using standard multipart

    • Supports Java struts, spring, and other frameworks

    • Support PHP$_FILESway

    • Support .NET

4. Download sensitive files, read arbitrary files

Overlay scene

  • Using any file download vulnerability, try to jump out of the web directory to download system files, eg/download.jsp?path=/../././//./.././/../../etc/hosts

  • Sensitive files such as .tar / .sql / .log / ... exist under PHP webroot (only baseline detection, no interception)

  • Executable files (Linux, Windows or Mac)

5. File directory listing

Overlay scene

  • Using PHP WebShell to view the file directory of the server

  • Enableddirectory indexso that users can directly see files in a directory (this check is not enabled by default)

  • Use../won other variations out of the current directory, view other contents of the directory

  • Enable directoryBrowse enabled="true" in Web.Config (.NET)

6. Scanner detection behavior 

Explanation: In most cases, the discovery of scanner behavior does not indicate a vulnerability. This feature is not in line with the original intention of RASP, so we turn off this feature by default., but you can configure to enable it

Overlay scene

  • Use well-known scanners to detect website vulnerabilities, such as SQLMap, WVS, and more



IAST is able to detect CSRF. Even RASP can protect from CRSF, such vulnerabilities should be completed by the development framework. RASP can be implemented by inserting JS, that is, monitoring form creation in JS, inserting csrf token, and performing token verification on the server.

Overlay scene

  • Useimg/video/frame/.., etc., trigger type GET CSRF

  • Form automatic submission

  • XHR submission form

Overlay scene

  • Modify cookies to gain administrator rights

9. CRLF 

Explanation: Most of the HTTP header CRLF injection vulnerabilities have been fixed at the API level; however, it still exists in some non-HTTP protocols, such as the recently released Java/Scala/Kotlin/Clojure FTP protocol CRLF injection.

Overlay scene

  • When setting the HTTP header or processing other TCP streams (such as the FTP protocol), insert newlines

10. XXE

Explanation: PHP cannot hook xml detection points, it is only supported in JAVA/Scala/Kotlin/Clojure, Node.js and .NET

Overlay scene

  • Byorg.apache.xercesreference to an external entity

    • Accessftp/dict/gopher/expect/..and other less common protocol to implement OOB attack

    • Usefileprotocol to read sensitive documents

11. Deserialization Vulnerability

Overlay scene

  • Java/Scala/Kotlin/Clojure

    • fastjson

    • transformer

    • xstream (such as S2-052)

    • ... (Other unknown types, see the detection plugin command_reflect algorithm for details)

  • PHP

    • To be sorted

  • .NET

    • Not vulnerable

12. Struts OGNL code execution

Overlay scene

  • Struts OGNL Series All Code Execution Vulnerability

  • OGNL statement injection attack

13. WebShell behavior

Overlay scene

  • Accessing the database using SQL Manager

  • Download sensitive files using file manager

  • Use a Chinese kitchen knife to execute commands

  • ... Other unknown types, see the detection plugin webshell_reflect algorithm for details)

14. Remote command execution

Overlay scene

  • UseRuntime.exec()the class command execution

  • Usesystem/passthru/shell_exec/proc_open/pcntl_exec/..other functions execute command

  • Execute commands through deserialization, etc.

15. Command injection

Overlay scene

  • Use&,|,;and other symbols cut, splice command

  • $(xxx)Inject commands using, backticks, etc.

  • Syntax error during command injection attack

16. XSS: Reflected

Overlay scene

  • Output GPC directly using PHP echo function

  • User input content with HTML tags and output directly to the page

17. XSS: Stored

Overlay scene

  • Backstage Blind

18. LDAP injection [commercial version only]

Overlay scene

  • Modify LDAP query logic by injection

19. DOS: Regex Group Attack

Overlay scene

  • Common Regex DoS attacks, eg(a+)+,(a|aa)+

20. Printing sensitive log information

Overlay scene

  • Use log4j, java.util.logging or Log4Net to print sensitive information such as ID cards, bank cards, credit cards, etc.

  • HTTP response (html / json / xml / etc.) returned uncoded sensitive information

21. File contains

Overlay scene

  • PHP useinclude|include_once|require|require_onceand other ways, including log, pictures, text files, etc.

  • Java uses jstl to include files

  • ASP/ASP.NET include

22. NTLM Information Disclosure Attack

Overwrite scene (Windows only)

  • MySQL DNS way off

  • Use302 redirection 

  • file/smb/scp

  • leak NTLM key

23. SSRF

Overlay scene

  • Bypass

    • / *.vcap.meand other network resources within a known domain names

    • Use 302 redirection to access resources in the file: /// domain

    • Try to obfuscate the destination address of the visit, and it is the internal IP, eghttp://0x7f001http://0x7f.0x0.0x0.0x1

    • Access reserved address, eghttp://0/

  • Common scenarios

    • Try to access aws metadata, eghttp://

    • Try to access a known echo service, eg*

    • Try to usegopher://,dictetc. uncommon protocols

    • (Java) Use JSTL import to access intranet resources

24. Asset weakness identification

Overlay scene

  • Collect composer / pom / Web.Config information

  • Using a 3rd-party library with known vulnerabilities

25. Background Blasting Identification

Overlay scene

  • Background explosion without verification code