This topic describes the attack types involved in attack statistics and provides corresponding solutions.
Overview
The following table lists all attack types and their categories.
| Category | Attack type |
|---|---|
| Injection attacks | JNDI injection, SQL injection, Command injection, XXE, XSS, EL injection, Engine injection, JSTL file inclusion |
| Deserialization and class loading | Deserialization attack, Malicious class loading, Malicious beans binding |
| RASP bypass techniques | JNI injection, Malicious reflection calls, Thread injection, Malicious Attach API |
| File system attacks | Arbitrary file read, Malicious file read and write, Malicious file upload, Arbitrary file deletion, Directory traversal |
| Network-based attacks | SSRF, Malicious DNS query, Usage of insecure protocols |
| Persistence techniques | Memory horse injection |
| Credential attacks | Weak database password |
Injection attacks
JNDI injection
Description
Java Naming and Directory Interface (JNDI) injection occurs when an application performs a JNDI lookup using a URL that an attacker can control. The attacker directs the server to query a malicious endpoint, which causes the server to load malicious classes and allows the attacker to execute arbitrary code.
Solution
If the vulnerability originates from a third-party component, upgrade the component to the latest patched version.
If the vulnerability originates from self-written JNDI query code, restrict the query URLs and prohibit lookups over insecure protocols.
SQL injection
Description
SQL injection occurs when an attacker inserts malicious SQL statements into web request query strings or form inputs. The server executes the injected SQL statements, which allows the attacker to access data in the database.
Solution
SQL injection is caused by string concatenation in SQL statements. Use parameterized queries (prepared statements) to precompile input parameters. If parameterized queries are not feasible, apply whitelist or blacklist validation to restrict concatenated parameters.
Command injection
Description
Command injection is a vulnerability that allows an attacker to execute arbitrary system commands on the server. In most cases, command injection results from web shells or insecure server-side code that passes user input to system command functions.
Solution
Identify the location where commands are executed:
If command execution is caused by a web shell, delete the web shell immediately.
If command execution is part of legitimate server functionality, apply whitelist restrictions to limit the commands that can be executed.
XXE
Description
XML External Entity (XXE) injection occurs when an XML parser processes an XML document that references external entities. An attacker can craft malicious XML content to perform arbitrary file reads, command injection, or internal network attacks.
Solution
Check whether your application needs to resolve external entities when it parses XML documents. If external entities are not required, disable them in the XML parser configuration.
XSS
Description
Cross-site scripting (XSS) occurs when an attacker injects malicious scripts into a website. The injected scripts execute in the browsers of users who visit the affected pages.
Solution
Similar to HTML injection attacks, XSS attacks allow attackers to inject HTML code into web pages. To protect your application against XSS attacks, apply strict input validation and output encoding:
Filter input data. Check for the following characters and patterns:
',",<,>,on*,script, andiframe. Validate all sources of user input, including form fields, cookie values, and HTTP request headers.Validate data properties. Check the type, format, length, range, and content of all input data.
Apply defense in depth. Perform input validation and filtering on both the client side and the server side.
Encode output data. Convert input data to safe representations such as HTML entities or escaped JavaScript before rendering on web pages. A value in the database may be displayed multiple times on a website. Even if input values are encoded at the time of storage, validate and encode all output values before display.
Expression language (EL) injection
Description
Expression languages provide runtime features such as data queries and dynamic processing. Many expression languages also support advanced operations such as Java method invocations. If the expression content is not restricted, an attacker can modify the expression to execute arbitrary code.
Solution
Strictly restrict the content of expressions and disable Java function calls.
If the vulnerability originates from a third-party component, upgrade the component to the latest patched version.
Engine injection
Description
Java supports various third-party JavaScript engines (such as Rhino and Nashorn) and template engines (such as Apache Velocity and FreeMarker). These engines typically provide advanced features including Java method invocations. If the engine input is not restricted, an attacker can inject malicious content that the engine executes, which results in arbitrary code execution.
Solution
Strictly restrict the content that is passed to script and template engines. Disable Java function calls within engine contexts.
If the vulnerability originates from a third-party component, upgrade the component to the latest patched version.
JSTL file inclusion
Description
JavaServer Pages Standard Tag Library (JSTL) is a collection of JSP tags that encapsulate common core features of JSP applications. If a user-controllable parameter is directly concatenated into a JSTL expression without input validation, an attacker can craft a malicious payload that leads to arbitrary file reads or server-side request forgery (SSRF).
Solution
Do not directly concatenate user-controllable parameters into JSTL expressions. If concatenation is necessary, apply strict whitelist validation to the parameter values.
Deserialization and class loading
Deserialization attack
Description
Java deserialization restores a byte sequence into a Java object. If the deserialized object contains code that can be exploited, an attacker can manipulate the member variables of the object to execute malicious operations during the deserialization process.
Solution
Upgrade vulnerable components to the latest patched versions.
If no patched version is available, temporarily disable the affected deserialization functionality.
Malicious class loading
Description
Zero-day exploits and web shells rely on loading malicious Java classes. When a malicious class is loaded, the attacker can initialize it to gain code execution permissions and perform further malicious operations.
Solution
If the malicious class was loaded through a web shell, delete the web shell immediately.
If the malicious class was loaded due to a framework vulnerability, upgrade the framework to the latest patched version.
Malicious beans binding
Description
Some Java frameworks support automatic bean property binding at runtime. If the types of bean properties that can be bound are not restricted, an attacker can modify the values of sensitive properties to disrupt application behavior or execute arbitrary code.
Solution
Restrict the types of bean properties that can be bound. Prevent modification of sensitive properties such as
classand class loader properties.If the vulnerability originates from a third-party component, upgrade the component to the latest patched version.
RASP bypass techniques
JNI injection
Description
Java Native Interface (JNI) injection is a common technique used to bypass Runtime Application Self-Protection (RASP). After an attacker gains code execution permissions, the attacker can use JNI functions to invoke external malicious dynamic-link libraries. This bypasses Java-layer security protections and conceals malicious behaviors.
Solution
Your server may have a code execution vulnerability. Identify the source of the vulnerability and restrict code execution permissions.
Malicious reflection calls
Description
The self-protection module of RASP prevents attackers from using Java reflection to modify RASP internal data at runtime.
Solution
Your server may have a code execution vulnerability. Identify the source of the vulnerability and restrict code execution permissions.
Thread injection
Description
Thread injection is a common technique used to bypass RASP. After an attacker gains code execution permissions, the attacker can create a new thread to escape the RASP-monitored execution context. This degrades the defense capability of RASP.
Solution
Your server may have a code execution vulnerability. Identify the source of the vulnerability and restrict code execution permissions.
Malicious Attach API
Description
The Attach API is a Java technology that enables dynamic modification of the bytecode of running applications. Attackers can use this technology to inject agent-type memory horses. This attack method is highly deceptive.
Solution
Your server may have a code execution vulnerability. Identify the source of the vulnerability and restrict code execution permissions.
File system attacks
Arbitrary file read
Description
If a website's file download or read feature allows files to be accessed by absolute path or through directory traversal, an attacker can exploit this vulnerability to read sensitive files and obtain confidential information.
Solution
Verify that file read operations function as expected. If anomalous behavior is detected, review the related code and apply blacklist restrictions to block path traversal sequences such as ./ and ../.
Malicious file read and write
Description
Java provides the RandomAccessFile class for file read and write operations. If the file path and file content are not properly validated, an attacker may read sensitive system files or write trojan files to the server.
Solution
Verify that file read and write operations function as expected. If anomalous behavior is detected, review the related code and apply blacklist restrictions to block access to sensitive paths.
Malicious file upload
Description
If a website's file upload feature does not restrict the types of files that can be uploaded, an attacker can upload executable files such as JSP web shells to gain elevated permissions on the server.
Solution
Restrict the types of files that can be uploaded. Prohibit uploading files with execute permissions, such as JSP files.
Arbitrary file deletion
Description
If a website's file deletion feature allows files to be deleted by absolute path or through directory traversal, and the file paths are not properly validated, an attacker can exploit this vulnerability to delete critical files or obtain sensitive information.
Solution
Verify that file deletion functions as expected. If anomalous behavior is detected, review the related code and apply blacklist restrictions to block path traversal sequences such as ./ and ../.
Directory traversal
Description
Directory traversal occurs when a website's directory structure can be browsed arbitrarily due to configuration defects. This can lead to disclosure of sensitive information that an attacker can use to further compromise the website.
Solution
Verify that directory access functions as expected. If anomalous behavior is detected, review the related code and apply blacklist restrictions to block traversal sequences such as ./ and ../.
Network-based attacks
SSRF
Description
Server-side request forgery (SSRF) is a vulnerability that allows an attacker to induce the server-side application to send HTTP requests to an arbitrary destination. The attacker can use SSRF to access internal systems that are not directly reachable from the internet.
Solution
SSRF is caused when the server sends requests based on user-supplied input parameters. Validate the parameter values and apply whitelist restrictions to permitted destinations.
Malicious DNS query
Description
Attackers can exploit DNS queries in multiple ways. An attacker may use the DNS protocol to exfiltrate sensitive data from internal networks (DNS tunneling). The attacker may also use DNS queries to probe for vulnerabilities in internal systems, such as SSRF and JNDI injection.
Solution
Malicious DNS queries are caused when the server sends requests based on user-controlled parameters. Validate the parameter values and apply whitelist restrictions.
Usage of insecure protocols
Description
If the URL that a server accesses is user-controllable and the application does not restrict the URL protocol, an attacker can use insecure protocols such as file:// and netdoc:// to read sensitive files on the server.
Solution
Restrict the URL protocols that the application is allowed to use. Allow only trusted protocols such as HTTP and HTTPS.
Persistence techniques
Memory horse injection
Description
Memory horse is an emerging fileless trojan technique. An attacker injects malicious code directly into the application's memory space, which allows the trojan to operate without writing files to disk. This technique can bypass Web Application Firewall (WAF) and host-based detection mechanisms.
Solution
Your server may have a code execution vulnerability. Identify the source of the vulnerability and restrict code execution permissions.
Credential attacks
Weak database password
Description
If a database uses a weak password, an attacker can obtain the password through brute-force attacks. The attacker can then access the database to steal data or escalate privileges to gain system-level permissions.
Solution
Use a strong, complex password for all database accounts.