All Products
Search
Document Center

Web Application Firewall:Configure API security policies

Last Updated:Oct 23, 2024

This topic describes the built-in and custom policies of the API security module. The module has a built-in detection mechanism. You can configure detection policies for your API assets based on your business requirements. You can configure the policies on the following tabs in the Web Application Firewall (WAF) console: Risk Detection Configurations, Security Event Configurations, Sensitive Data-related Configurations, Authentication Credential Configurations, Business Purpose, Configure Whitelist, Lifecycle Management, Log Subscription Configurations, and Applicable Object Configurations. After you configure the policies, the module can detect risks in a more accurate manner with a higher recall rate. You can handle the detected risks to prevent your API assets from being attacked.

1. Risk Detection Configurations

Risks refer to API security risks or security threats that are caused by development, management, or configuration defects. Security risks differ from security events. Security risks can be detected regardless of whether attacks are initiated. Security events can be detected only when attacks are initiated and alerts are generated.

Built-in policies

On the Risk Detection Configurations tab of the Policy Configurations tab, you can view the built-in policies. You can also change the status and risk level of a built-in policy. The risk level can be Low Risk, Medium Risk, or High Risk.

Custom policies

On the Risk Detection Configurations tab, you can configure up to 20 custom policies. To create a custom policy, perform the following steps:

  1. On the API Security page, choose Policy Configurations > Risk Detection Configurations.

  2. In the left-side section of the tab that appears, click New to the right of Custom Policy. In the panel that appears, configure the parameters. The following table describes the parameters.

    Parameter

    Description

    Risk Status

    The status of the policy. By default, the switch is turned on.

    Risk Name

    The risk name. You can specify a custom value. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Suggestions

    The suggestion on how to handle the detected risks. You can specify a value based on your business requirements.

    Risk Level

    The risk level. Valid values: Low Risk, Medium Risk, and High Risk.

    Check Configurations

    The detection conditions. You can specify up to 10 conditions based on your business requirements.

    The following table describes the Match Field, Logical Operator, and Match Content parameters that you must configure to specify a detection condition.

    Note

    You can specify up to 50 items for the Match Content parameter. Press the Enter key to confirm each item.

    Condition settings

    Match Field

    Sub-condition (input or selection required)

    Logical Operator

    Match Content

    Domain Name

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    API

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Request Method

    Not supported

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can select multiple request methods from the drop-down list, such as GET, POST, DELETE, and PUT.

    User-Agent

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Referer

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Communication Protocol

    Not supported

    Equals

    You can select HTTP or HTTPS from the drop-down list.

    Request Content-Type

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Request Length

    Not supported

    Equals

    Value Less Than

    Value Greater Than

    You can enter an integer in the range of 0 to 8192.

    Response Content-Type

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Response Length

    Not supported

    Equals

    Value Less Than

    Value Greater Than

    You can enter an integer in the range of 0 to 8192.

    HTTP Status Code

    Not supported

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Request Header

    Custom Header

    Exists

    Does Not Exist

    Length Equal To

    Length Less Than

    Length Greater Than

    Contains One of Multiple Values

    Does Not Contain Any Value

    Cookie Parameter

    Custom Cookie-Exact

    Exists

    Does Not Exist

    Length Equal To

    Length Less Than

    Length Greater Than

    Contains One of Multiple Values

    Does Not Contain Any Value

    -

    GET Parameter

    Custom Parameter

    Exists

    Does Not Exist

    Length Equal To

    Length Less Than

    Length Greater Than

    Contains One of Multiple Values

    Does Not Contain Any Value

    -

    POST Parameter

    Custom Post-Arg

    Exists

    Does Not Exist

    Length Equal To

    Length Less Than

    Length Greater Than

    Contains One of Multiple Values

    Does Not Contain Any Value

    -

    Response Header

    Response Header

    Exists

    Does Not Exist

    Length Equal To

    Length Less Than

    Length Greater Than

    Contains One of Multiple Values

    Does Not Contain Any Value

    -

    Response Parameter

    Response Parameter

    Exists

    Does Not Exist

    Length Equal To

    Length Less Than

    Length Greater Than

    Contains One of Multiple Values

    Does Not Contain Any Value

    -

    Purpose

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    You can select multiple purposes from the drop-down list.

    Service Object

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    You can select multiple service objects from the drop-down list.

    Note

    For more information about service objects, see What are the objects for which APIs are called to provide services?

    Authentication

    Not supported

    Equals

    You can select Yes or No from the drop-down list.

    Request Sensitive Data Type

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    Category Count Greater Than

    You can select multiple sensitive data types from the drop-down list. If you select Category Count Greater Than as the logical operator, enter an integer in the range of 0 to 8192.

    Sensitivity Level of Request Sensitive Data

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    You can select multiple sensitivity levels from the drop-down list. Valid values: S1, S2, S3, and S4.

    Response Sensitive Data Type

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    Category Count Greater Than

    You can select multiple sensitive data types from the drop-down list. If you select Category Count Greater Than as the logical operator, enter an integer in the range of 0 to 8192.

    Sensitivity Level of Response Sensitive Data

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    You can select multiple sensitivity levels from the drop-down list. Valid values: S1, S2, S3, and S4.

    Response Sensitive Data

    You can select multiple response-related sensitive data types from the drop-down list.

    Greater Than

    You can enter an integer in the range of 0 to 8192.

    Source Location

    Not supported

    Equals

    You can select Chinese Mainland or Outside Chinese Mainland from the drop-down list.

    Source IP Address

    Not supported

    Belongs To

    Does Not Belong To

    You can enter an IP address or a CIDR block. Example: 1.1.X.X/24. You can enter up to 50 items. Separate the items with commas (,) and press the Enter key to confirm each item. Regular expressions are not supported.

  3. After you configure the parameters, click OK to save the configurations.

2. Security Event Configurations

Security events are generated when errors occur during API calls or when attacks are initiated. For example, a security event is generated when a brute-force attack is initiated against the logon API or an SMS flood attack is initiated by abusing the SMS sending API. The built-in detection mechanism detects events based on IP addresses. If events have the same CIDR block, API, and type and are generated on the same day, the events are aggregated, and one alert is generated for the events.

Built-in policies

After an alert is triggered by a built-in policy of security events, no new alert is triggered if attacks are continuously initiated from the same IP address. However, the attack time of the triggered alert is updated, and the severity is changed based on the volume of the attack traffic.

On the Security Event Configurations tab of the Policy Configurations tab, you can view the built-in policies. You cannot modify or delete the policies.

Custom policies

On the Security Event Configurations tab, you can configure up to 10 custom policies. To create a custom policy, perform the following steps:

  1. On the API Security page, choose Policy Configurations > Security Event Configurations.

  2. In the left-side section of the tab that appears, click New to the right of Custom Policy. In the panel that appears, configure the parameters. The following table describes the parameters.

    Parameter

    Description

    Event Status

    The status of the policy. By default, the switch is turned on.

    Event Name

    The event name. You can specify a custom value. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Suggestions

    The suggestion on how to handle the detected events. You can specify a value based on your business requirements.

    Event Level

    The risk level. Valid values: Low Risk, Medium Risk, and High Risk.

    Match Condition

    The detection conditions. You can specify up to 10 conditions based on your business requirements.

    Note

    If you specify multiple conditions, the policy is considered hit only when all conditions are matched.

    Statistical Period

    The statistical period. Maximum value: 15. Unit: minutes.

    Requests

    The number of requests. Valid values: positive integers.

    Data Statistics

    The counting conditions. You can specify up to 10 conditions based on your business requirements.

    For more information about how to configure the Match Field, Logical Operator, and Match Content parameters to specify a detection condition, see Condition settings in the "1. Risk Detection Configurations" section of this topic.

    Note

    You can specify up to 50 items for the Match Content parameter. Press the Enter key to confirm each item.

    The following table describes the Match Field, Logical Operator, and Match Content parameters that you must configure to specify a counting condition.

    Condition settings

    Match Field

    Sub-condition (input or selection required)

    Logical Operator

    Match Content

    Status Code Statistics

    Enter an integer in the range of 100 to 600.

    Value Greater Than

    Enter an integer in the range of 0 to 8192.

    Request Header

    Custom Header

    Distinct Less Than

    Distinct Equals

    Distinct Greater Than

    Enter an integer in the range of 0 to 8192.

    Cookie Parameter

    Custom Cookie-Exact

    Distinct Less Than

    Distinct Equals

    Distinct Greater Than

    Enter an integer in the range of 0 to 8192.

    GET Parameter

    Custom Parameter

    Distinct Less Than

    Distinct Equals

    Distinct Greater Than

    Enter an integer in the range of 0 to 8192.

    POST Parameter

    Custom Post-Arg

    Distinct Less Than

    Distinct Equals

    Distinct Greater Than

    Enter an integer in the range of 0 to 8192.

    Response Sensitive Data Type

    Select response-related sensitive data types from the drop-down list.

    Distinct Greater Than

    Enter an integer in the range of 0 to 8192.

    Sensitivity Level of Response Sensitive Data

    Select response-related sensitivity levels from the drop-down list.

    Distinct Greater Than

    Enter an integer in the range of 0 to 8192.

    Note

    By default, the API security module performs sampling analysis on sensitive data in responses. If you want to specify Response Sensitive Data Type or Sensitivity Level of Response Sensitive Data as the match field of a detection condition in a custom policy, you must turn on Tracing and Auditing for the protected objects on the Policy Configurations > Applicable Object Configurations tab. This ensures that all information about sensitive data in responses is recorded and analyzed for the protected objects.

  3. After you configure the parameters, click OK to save the configurations.

3. Sensitive Data-related Configurations

On the Sensitive Data-related Configurations tab of the Policy Configurations tab, you can search, filter, and view the built-in policies.

De-identification Display

The Sensitive Data-related Configuration tab provides the De-identification Display switch. By default, the switch is turned off.

If you turn on the switch, the system masks the related information before the information is displayed.

  • In the Risk Details and API Details panels, the system replaces sensitive data in the Sample Request and Sample Response sections with {{Phone}}. You can go to the panels on the Risk Detection tab.

  • In the Event Details panel, the system replaces sensitive data in the Sample Request Data and Sample Response Data sections with {}. You can go to the panel on the Security Events tab.

  • In the sample data, Request Cookie is masked as {{Cookie}}, Request Header that contains Token is masked as {{XXXToken}}, and Response SetCookie is masked as {{SetCookie}}.

The switch takes effect on the following data:

  • Risk Details and API Details: The switch takes effect only on new sample request data and sample response data.

  • Event Details: The switch takes effect on both new and existing sample request data and sample response data.

Built-in policies

You cannot modify or delete a built-in policy. You can only change the status of a built-in policy.

Custom policies

If you define custom sensitive data in your business, you can configure custom policies to detect the sensitive data. On the Sensitive Data-related Configurations tab, you can configure up to 20 custom policies. To create a custom policy, perform the following steps:

  1. On the API Security page, choose Policy Configurations > Sensitive Data-related Configurations.

  2. Click Create Policy. In the panel that appears, configure the parameters. The following table describes the parameters. You can create a custom policy in Basic or Expert mode.

    Parameter

    Description

    Name

    The name of the policy.

    The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Mode

    The detection mode of the policy. Valid values:

    • Basic: In this mode, you need to only perform simple configurations.

      If you select Basic, you must configure the Characters and Length parameters.

      • Characters: You can select Numeric, Uppercase Letters, and Lowercase Letters. You can select multiple options.

      • Length: You can specify a length range. You must specify integers as the start and end values. The start value must be in the range of 6 to 63, and the end value must be in the range of 7 to 64.

    • Expert: In this mode, you can specify a regular expression.

      If you select Expert, you must enter a regular expression to detect sensitive data. To prevent misdetection, make sure that the regular expression can match at least six characters.

    Sensitivity Level

    The sensitivity level of data that can be detected. Valid values: S1, S2, S3, and S4.

    Note

    For more information about the types of sensitive data, see What types of sensitive data can be detected by the API security module?

  3. After you configure the parameters, click OK to save the configurations.

4. Authentication Credential Configurations

If you use unconventional fields as authentication fields in your business or specify weak names for authentication fields, such as by using only digits, we recommend that you configure custom authentication credentials. The API security module has a built-in mechanism that identifies authentication credentials. You can configure the required parameters to help the mechanism check whether authentication credentials are included in requests. This helps improve API security and the identification accuracy of authentication risks.

  1. On the API Security page, choose Policy Configurations > Authentication Credential Configurations.

  2. Click Create Policy. In the panel that appears, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    Name

    The name of the policy.

    The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Match Condition

    The match conditions. You must configure the Match Field, Logical Operator, and Match Content parameters to specify a condition. You can specify up to 10 conditions. You must specify a condition in which the Match Field parameter is set to Request Header, Request Cookie, Request Query, or Request Body.

    Note

    If you specify multiple conditions, the policy is considered hit only when all conditions are matched.

    The following table describes the Match Field, Logical Operator, and Match Content parameters that you must configure to specify a match condition.

    Note

    You can specify up to 50 items for the Match Content parameter. Press the Enter key to confirm each item.

    Condition settings

    Match Field

    Sub-condition (input or selection required)

    Logical Operator

    Match Content

    Domain Name

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    API

    Not supported

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Request Header

    Custom Header

    Exists

    Length Equal To

    Length Less Than

    Length Greater Than

    Request Cookie

    Custom Cookie-Exact

    Exists

    Length Equal To

    Length Less Than

    Length Greater Than

    Request Query

    Custom Parameter

    Exists

    Length Equal To

    Length Less Than

    Length Greater Than

    Request Body

    Custom Post-Arg

    Exists

    Length Equal To

    Length Less Than

    Length Greater Than

5. Business Purpose

The API security module provides the following types of business purpose policies:

Built-in policies

The module provides built-in policies for various scenarios, including data update, data sharing, text message sending, and information sending. You cannot modify or delete a built-in policy. You can only change the status of a built-in policy. You can enable or disable a built-in policy based on your business requirements.

Custom policies

If the built-in policies do not meet your business requirements, you can configure custom policies based on URL and parameter name patterns to improve the detection accuracy of API risks.

  1. On the API Security page, choose Policy Configurations > Business Purpose.

  2. Click the Custom Policy card. Then, click Create Policy. In the panel that appears, configure the parameters and click OK. The following table describes the parameters.

  3. Note

    You can specify up to 50 items for the Match Content parameter. Press the Enter key to confirm each item.

    Condition settings

    Match Field

    Logical Operator

    Match Content

    Domain Name

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    API

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Request Header Parameter Name

    Equals One of Multiple Values

    Contains One of Multiple Values

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Request Cookie Parameter Name

    Equals One of Multiple Values

    Contains One of Multiple Values

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Request Query Parameter Name

    Equals One of Multiple Values

    Contains One of Multiple Values

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Request Body Parameter Name

    Equals One of Multiple Values

    Contains One of Multiple Values

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Request Sensitive Data Type

    Equals One of Multiple Values

    Contains One of Multiple Values

    You can select multiple request-related sensitive data types from the drop-down list.

    Response Sensitive Data Type

    Equals One of Multiple Values

    Contains One of Multiple Values

    You can select multiple response-related sensitive data types from the drop-down list.

    Response Parameter Name

    Equals One of Multiple Values

    Contains One of Multiple Values

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

6. Configure Whitelist

On the Configure Whitelist tab of the Policy Configurations tab, you can configure separate whitelists for risks and security events to reduce alerts. For example, you can configure a whitelist to mute alerts for egress IP addresses of your office network, which helps improve the operational efficiency of your business.

  1. On the API Security page, choose Policy Configurations > Configure Whitelist.

  2. Click Create Policy. In the panel that appears, enter the name of the whitelist policy that you want to create and select the type of the whitelist policy that you want to configure. You can select Risk Detection or Security Events.

  3. Specify match conditions based on the whitelist policy type that you select.

    Note

    You can specify up to 10 match conditions.

    Match conditions for a whitelist policy of the Risk Detection type

    Match Field

    Logical Operator

    Match Content

    Domain Name

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    API

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    Match conditions for a whitelist policy of the Security Events type

    Match Field

    Logical Operator

    Match Content

    Domain Name

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    API

    Contains One of Multiple Values

    Does Not Contain Any Value

    Equals One of Multiple Values

    Does Not Equal Any Value

    You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

    IP

    Belongs To

    Does Not Belong To

    You can enter an IP address or a CIDR block. Example: 1.1.X.X/24. You can enter up to 50 items. Separate the items with commas (,) and press the Enter key to confirm each item. Regular expressions are not supported.

  4. Select the types of risks or security events whose alerts you want to mute. Then, click OK.

    Note

    The system supports built-in and custom types. You can select multiple types.

7. Lifecycle Management

You can specify the number of daily API calls and the number of consecutive days during which the API is not called to determine whether an API is a deactivated API. On the Lifecycle Management tab of the Policy Configurations tab, you can specify a standard to identify deactivated APIs. This way, you can handle the APIs at the earliest opportunity. This prevents attackers from exploiting deactivated APIs.

  1. On the API Security page, choose Policy Configurations > Lifecycle Management.

  2. Specify a standard to identify deactivated APIs and click OK.

    • Click Built-in Model.

      If you select Built-in Model, the API security module considers APIs that are not called within the previous 30 days or APIs whose calls significantly decrease as deactivated APIs.

    • Click Custom. Then, specify the number of daily API calls and the number of consecutive days during which the API is not called. The maximum number of consecutive days allowed is 31.

      If you select Custom, the API security module considers APIs whose number of daily API calls is less than the specified number within the specified consecutive days as deactivated APIs.

8. Log Subscription Configurations

After you configure log subscription settings for a specific log type, a log subscription task is generated. When trigger conditions of log delivery are met, the task delivers related logs to the Simple Log Service Logstore that you specify. You can create the required Logstore in the Simple Log Service console. The API security module supports the following log types: AssetInformation, riskInformation, and Attack EventInformation. You can use Simple Log Service to manage the logs in a centralized manner.

Note

WAF instances in the Chinese mainland can deliver logs only to Simple Log Service Logstores in the Chinese mainland. WAF instances outside the Chinese mainland can deliver logs only to Simple Log Service Logstores outside the Chinese mainland.

Create a service-linked role

If no service-linked roles are created for WAF, you must create a service-linked role before you can use the log subscription feature of the API security module. Then, WAF can assume the role to access other cloud resources. For more information, see Service-linked roles. If the role already exists, skip this step.

Configure log subscription settings

  1. Log on to the Simple Log Service console and create a project and a Logstore to which you want to deliver logs. Perform this step before you configure log subscription settings. If the project and Logstore already exist and meet the naming requirements, skip this step.

    Note

    When you select a Logstore to which you want to deliver logs, you cannot select the Logstores that are automatically created by Simple Log Service or the Logstores named waf-logstore, wafng-logstore, and wafnew-logstore.

  2. Log on to the WAF console and go to the Log Subscription tab. On this tab, you can configure log subscription settings for AssetInformation, riskInformation, and Attack EventInformation. If you want to query and analyze logs that are delivered to the Logstore in the Simple Log Service console, enable indexing for the Logstore. For more information, see Create indexes.

  3. Select the log type for which you want to configure log subscription settings and click Configure in the related section.

  4. In the dialog box that appears, select the region of the Logstore to which logs are delivered, the project to which the Logstore belongs, and the Logstore. Then, click OK. When trigger conditions are met and logs are generated, the log subscription task delivers the logs to Simple Log Service. Then, you can go to the Simple Log Service console and access the selected Logstore to query and analyze the logs. You can also use the data transformation feature of Simple Log Service to mask log data. For more information, see Overview of data transformation (new version).

  5. If you want to disable the log subscription task, turn off Status on the Log Subscription tab. If you no longer require delivered logs after you disable the task and you want to prevent fees generated by log storage, delete the selected Logstore in the Simple Log Service console. For more information, see How do I deactivate Simple Log Service or stop being billed for Simple Log Service?

The following sections describe the trigger conditions of a log subscription task and the details of log fields.

Important
  • You are charged additional fees for the project, Logstore, and indexes that you create in the Simple Log Service console. The fees are included in the bills of Simple Log Service. For more information about the billable items and pricing of Simple Log Service, see Billing overview of Simple Log Service.

  • After you create the project and Logstore, you are charged even if your log subscription task is disabled. Therefore, if you confirm that the Logstore is no longer required, delete the Logstore at the earliest opportunity. For more information, see Why am I charged even if I only create projects and Logstores?

Logs of the AssetInformation type

Trigger conditions of the log subscription task:

  1. If new API assets are detected, logs of the AssetInformation type are immediately delivered.

  2. If no new API assets are detected, logs of the AssetInformation type are delivered at 1-hour intervals.

Fields in the logs of the AssetInformation type

Field

Description

Type

Example

user_id

The user ID.

string

123456

service_host

The domain name.

string

api.aliyun.com

api_format

The API path.

string

/api/v1/getuserbyid/${param}

request_method

The request method.

string

GET

api_tag

The business purpose.

object []

['QueryInfo']

api_type

The service object.

object []

['PublicAPI']

auth_key

The authentication field.

object []

['id_token', 'access_token']

api_status

The lifecycle.

string

NewbornInterface

api_sensitive_level

The sensitivity level of the API.

string

L1

api_sensitive_req

The sensitive data type in the request.

object []

['1014', '1017', '1002']

api_sensitive_res

The sensitive data type in the response.

object []

['1009', '1013', '1003', '1014', '1002']

farthest_ts

The first detection time.

long

1713237135

lastest_ts

The last active time.

long

1716452318

abnormal_num

The number of risks.

integer

1

event_num

The number of events.

integer

2

struct_baseline

The parameter structure.

object

['{"key":"Trace-Id","location":"request_header","format":"string","required":"true"}',

'{"key":"pageNum","location":"request_query","format":"integer","required":"true"}',

'{"key":"tlogTraceId","location":"response_header","format":"integer","required":"true"}',

'{"key":"Strict-Transport-Security","location":"request_header","format":"string","required":"true"}',

'{"key":"X-Forwarded-ClientSrcPort","location":"request_header","format":"integer","required":"true"}',

'{"key":"Trace-State","location":"request_header","format":"string","required":"true"}',

'{"key":"auth","location":"request_header","format":"string","required":"true"}',

'{"key":"Access-Control-Max-Age","location":"response_header","format":"integer","required":"true"}',

'{"key":"Enterprise-Hash","location":"request_header","format":"string","required":"true"}',

'{"key":"X-Request-ID","location":"request_header","format":"string","required":"true"}',

'{"key":"postName","location":"request_query","format":"string","required":"true"}', '{"key":"pageSize","location":"request_query","format":"integer","required":"true"}']

matched_hosts

The protected object.

object []

['*.aliyun.com-waf']

hosts

The domain name.

object []

['api.aliyun.com']

server_port

The port.

object []

['443']

server_location

The country where the origin server is located.

object []

['CN']

api_id

The unique ID of the API.

string

af418cb31036015fddea71b48d06aa4b

log_type

The log type.

string

asset

request_header

The request header.

JSON

{"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}

querystring

The request URL parameters.

string

?token=7464f593205896e23b1286ba7532dcff

request_body

The request body.

string

xxx=1

response_header

The response header.

JSON

{"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}

response_body

The response body.

string

xxxx

example_timestamp

The timestamp of the sample.

long

1718546694

example_traceid

The trace ID of the sample.

string

784e2ca717213678365778292e58de

Logs of the riskInformation type

Trigger conditions of the log subscription task: If new API risks are detected, logs of the riskInformation type are delivered to the Logstore that you specify.

Fields in the logs of the riskInformation type

Field

Description

Type

Example

user_id

The user ID.

string

123456

service_host

The domain name.

string

api.aliyun.com

api_format

The API path.

string

/api/v1/login

request_method

The request method.

string

POST

api_tag

The business purpose.

object []

['LoginAPI']

abnormal_tag

The risk name.

string

Risk_DefaultPasswd

abnormal_type

The risk type, which can be custom or built-in.

string

default

abnormal_level

The risk level.

string

medium

abnormal_discover_ts

The time when the risk was detected.

long

1716343432

abnormal_info

The risk information.

object

{'default_passwd':'aliyun123'}

api_id

The unique ID of the API.

string

2c0f97e10b586208039e60671150bd9b

abnormal_id

The unique ID of the risk.

string

8cfccc0e8c3d41aa1221e94a2fdeffe3

log_type

The log type.

string

risk

matched_hosts

The protected object.

object []

['*.aliyun.com-waf']

request_header

The request header.

JSON

{"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}

querystring

The request URL parameters.

string

?token=7464f593205896e23b1286ba7532dcff

request_body

The request body.

string

xxx=1

response_header

The response header.

JSON

{"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}

response_body

The response body.

string

xxxx

example_timestamp

The timestamp of the sample.

long

1718546694

example_traceid

The trace ID of the sample.

string

784e2ca717213678365778****58de

Logs of the Attack EventInformation type

Trigger conditions of the log subscription task:

  1. If new attack events are detected, logs of the Attack EventInformation type are delivered to the Logstore that you specify.

  2. If an attack continues, logs of the Attack EventInformation type are continuously delivered to the Logstore that you specify at 10-minute intervals.

Fields in the logs of the Attack EventInformation type

Field

Description

Type

Example

user_id

The user ID.

string

123456

service_host

The domain name.

string

api.aliyun.com

matched_host

The protected object.

string

api.aliyun.com-waf

host

The domain name.

string

api.aliyun.com

api_format

The API path.

string

/api/admin/login

request_method

The request method.

string

POST

api_tag

The business purpose.

object []

['AdminService', 'LoginService']

event_tag

The event name.

string

Event_LoginCollision

event_origin

The event type, which can be custom or built-in.

string

default

event_level

The event level.

string

high

start_ts

The start time of the attack.

long

1713886210

end_ts

The end time of the attack.

long

1713887817

attack_cnt

The total number of attacks.

integer

147

attack_ip_info

The IP address information about the attack.

object []

['{'ip':'103.44.XX.XXX'', 'country_id':'HK', 'region_id':'-', 'cnt':'147'']

api_id

The unique ID of the API.

string

4dfc73b37d2d645fe2ca7f45c08f7398

event_id

The event ID.

string

f09f6802e9b57a58ebb9f1bea212027e

log_type

The log type.

string

event

request_data

The sample request data.

JSON

{'1002':['Alice','Tony','Tom'],'1004':['13200000001','15200000002']}

response_data

The sample response data.

JSON

{'postarg.userId':['Alice','Tony'],'postarg.corpId':['wx1111111'],'postarg.externalUserid':['wm7_KpDgOm6Bm-BGA']}

Values of log subscription fields

If you want to learn more about the values of fields in the delivered logs when you query and analyze the logs, you can refer to the following tables. The Description column in the following tables provides the display names of the field values in the WAF console.

Lifecycle (values of the api_status field)

Value

Description

NewbornInterface

New

OfflineInterface

Deactivated

normal

Normal

Service object (values of the api_type field)

Value

Description

PublicAPI

Public Service

ThirdpartAPI

Cooperation with Third-party Partner

InternalAPI

Internal Office

Business purpose (values of the api_tag field)

Value

Description

LoginByUserPasswd

Account Password-based Logon

LoginByPhoneCode

Mobile Verification Code-based Logon

LoginByMailCode

Email Verification Code-based Logon

WeChatLogin

WeChat Logon

AliPayLogin

Alipay Logon

OAuthLogin

OAuth Authentication

OIDCLogin

OIDC Authentication

SAMLLogin

SAML Authentication

SSOLogin

SSO Authentication

LoginAPI

Logon

LogoutAPI

Logoff

RegisterByUserPasswd

Account Password-based Registration

RegisterByPhoneCode

Mobile Verification Code-based Registration

RegisterByMailCode

Email Verification Code-based Registration

WeChatRegister

WeChat Registration

AliPayRegister

Alipay Registration

RegisterAPI

Registration Service

SendSMS

Short Message Sending

SendMail

Mail Sending

ResetPasswd

Password Reset

CheckVerifyCode

Verification Code Verification

CheckStatus

Status Check

QueryOrder

Order Query

ExportOrder

Order Export

UpdateOrder

Order Update

PayOrder

Order Payment

QueryLog

Log Query

UploadLog

Log Reporting

DownloadLog

Log Export

LogService

Log Service

GraphQL

GraphQL

SqlService

SQL Service

FileUpload

File Upload

FileDownload

File Download

FileService

File Service

AdminService

Background Management

DashBoard

Dashboard

MonitorService

Monitoring Service

SendInfo

Information Sending

CheckInfo

Data Check

QueryInfo

Data Query

UploadInfo

Data Upload

DownloadInfo

Data Download

AddInfo

Data Addition

EditInfo

Data Modification

UpdateInfo

Data Update

ShareInfo

Data Sharing

DeleteInfo

Data Deletion

SyncInfo

Data Synchronization

SubmitInfo

Data Submission

CopyInfo

Data Copy

AuditInfo

Data Auditing

SaveInfo

Data Saving

CancelOp

Cancel

StartOp

Start

BatchOp

Batch Processing

PauseOp

Suspension

BindOp

Add

DebugOp

Debugging

SetOp

Settings

ShutDown

Disable

Sensitive data types in requests and responses (values of the api_sensitive_req and api_sensitive_res fields)

Value

Description

1000

ID Card Number (Chinese Mainland)

1001

Debit Card

1002

Full Name (Simplified Chinese)

1003

Address (Chinese Mainland)

1004

Mobile Number (Chinese Mainland)

1005

Email Address

1006

Passport Number (Chinese Mainland)

1007

Mainland Travel Permit for Hong Kong and Macao Residents

1008

License Plate Number (Chinese Mainland)

1009

Phone Number (Chinese Mainland)

1010

Military Officer Card

1011

Gender

1012

Ethnic Group

1013

Province (Chinese Mainland)

1014

City (Chinese Mainland)

1015

ID Card Number (Hong Kong, China)

1016

Full Name (Traditional Chinese)

1017

Full Name (English)

1018

ID Card Number (Malaysia)

1019

ID Card Number (Singapore)

1020

Lending Bank Card

1022

SWIFT Code

1023

SSN

1024

Telephone Number (United States)

1025

Religious Belief

2000

IP Address

2001

MAC Address

2002

JDBC Connection String

2003

PEM Certificate

2004

Private Key

2005

AccessKey ID

2006

AccessKey Secret

2007

IPv6 Address

2009

Date

2010

IMEI

2011

MEID

2013

Linux Password File

2014

Linux Shadow File

2015

URL

4000

Business License Number

4001

Tax Registration Certificate Number

4002

Organization Code

4003

Unified Social Credit Code

4004

Vehicle Identification Number

Risk types (values of the risk field)

Value

Description

RiskType_Specification

Security and Specifications

Risk_UnsafeHttpMethod

Insecure HTTP Methods

Risk_WeakSignAlgorithm

JWT Weak Signature Algorithm

Risk_UrlParam

Parameter as URL

RiskType_Account

Account Security

Risk_PasswdUnencrypt

Password Plaintext Transmission

Risk_WeakPasswd

Weak Password Tolerance

Risk_InternalWeakPasswd

Weak Password Vulnerability in Internal Application

Risk_DefaultPasswd

Presence of Default Passwords

Risk_PasswdResponse

Return of Plaintext Password

Risk_PasswdCookie

Password Storage in Cookies

Risk_LoginRestrict

Unrestricted Logon

Risk_LoginPrompt

Unreasonable Logon Failure Prompt

Risk_PasswdUrl

URL-based Account Password Transmission

RiskType_Control

Access Control

Risk_InternalAPI

Internal Application Accessible from the Internet

Risk_SourceRestrict

Unrestricted Access Sources

Risk_ClientRestrict

Unrestricted Access Tools

Risk_SpeedRestrict

Unrestricted Access Rate

RiskType_Permission

Permission Management

Risk_WeakToken

Weak Authentication Credential

Risk_UnauthSensitive

Unauthenticated Access to Sensitive API

Risk_UnauthInternalAPI

Unauthorized Access to Internal API

Risk_TokenUrl

URL-based Credential Transmission

Risk_AkLeak

AccessKey Pair Information Leak

RiskType_Sensitive

Data Protection

Risk_SensitiveTypeExcessive

Excessive Types of Sensitive Data in Response

Risk_SensitiveNumExcessive

Excessive Sensitive Data in Response

Risk_InvalidDesensitize

Inadequate Data De-identification

Risk_ServerInfoLeak

Leak of Sensitive Server Information

Risk_InternalIPLeak

Internal IP Address Leak

Risk_SensitiveURL

URL-based Sensitive Data Transmission

RiskType_Design

API Design

Risk_ParamTraverse

Request Parameter Traversability

Risk_PageSize

Modifiable Volume of Returned Data

Risk_SqlAPI

Database Query

Risk_RceAPI

Command Execution API

Risk_SmsContent

Arbitrary Short Message Sending

Risk_MailContent

Arbitrary Email Content Sending

Risk_SmsVerifyCodeLeak

Leak of Short Message Verification Code

Risk_MailVerifyCodeLeak

Email Verification Code Leak

Risk_FileDownload

Specified File Download

Risk_ExceptionLeak

Application Exception Information Leak

Risk_ExceptionSql

Database Exception Information Leak

Event types (values of the event field)

Value

Description

Event_AbnormalFrequency

Abnormal High-frequency Access

Event_ExceptionIPInvoke

Access to Internal API from Unusual IP Address

Event_ExceptionRegionInvoke

Access to Internal API from Unusual Location

Event_ExceptionClientInvoke

Access using Anomalous Tools

Event_ExceptionTimeInvoke

Access During Unusual Time Period

Event_AbnormalParamValue

Access using Abnormal Parameter Values

Event_InternalLoginWeakPasswd

Weak Password-based Logon to Internal Application

Event_LoginAccountBruteForce

Brute-force Attack Against Username

Event_LoginPasswdBruteForce

Brute-force Attack Against Password

Event_LoginCollision

Dictionary Attack

Event_MobileVerifyBruteForce

Brute-force Attack Against Short Message Verification Code

Event_MailVerifyBruteForce

Brute-force Attack Against Email Verification Code

Event_AbnormalRegister

Batch Registration

Event_SMSInterfaceAbuse

Malicious Consumption of Short Message Resources

Event_EmailInterfaceAbuse

Malicious Consumption of Email Resources

Event_AbnormalExport

Batch Download

Event_DataTraverse

Data Crawling

Event_WebAttackAPI

API Attack

Event_ObtainSensitiveUnauthorized

Unauthorized Access to Sensitive Data

Event_ObtainSensitiveExcessive

Mass Sensitive Data Access

Event_CrossborderIPSensitiveExcessive

Mass Sensitive Data Access by IP Addresses Outside China

Event_ExceptionResponse

Return of Error Message

Event_ExceptionSql

Return of Database Error Message

Event_SystemInfoResponse

Return of Sensitive System Information

Event_AbnormalStatus

Abnormal Response

9. Applicable Object Configurations

The API security module provides the following switches for protected objects and protected object groups:

  • Switch: specifies whether to enable all built-in and custom policies.

  • Compliance Check: specifies whether to enable the compliance check feature. You can turn on this switch only when Switch is turned on.

  • Tracing and Auditing: specifies whether to enable the tracing and auditing feature. You can turn on this switch only when Switch is turned on.

After you add a domain name or an instance to WAF, you can configure the switches. The default settings of the switches vary based on the billing method.

  • By default, if you use the subscription billing method, Switch is turned on, and Compliance Check and Tracing and Auditing are turned off.

  • By default, if you use the pay-as-you-go billing method, Switch is turned off.

You can go to the Policy Configurations > Applicable Object Configurations page to turn on or turn off Switch, Compliance Check, and Tracing and Auditing.