All Products
Search
Document Center

Web Application Firewall:API security

Last Updated:Oct 29, 2024

The API security module is an independent module of Web Application Firewall (WAF) and must be separately purchased. The API security module automatically sorts the API assets of services that are protected by WAF and detects API risks based on a built-in detection mechanism and custom detection policies. The risks include unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module allows you to view API exception events in reports, check the compliance of cross-border data transfer, and trace sensitive data leaks. The module also provides suggestions for handling detected risks and references for API lifecycle management. You can identify and manage all API assets that are required by your services and improve API security throughout the entire data flow. This topic describes how to configure the API security module.

Introduction

In the digital economy era, enterprises face a rapidly changing environment that demands quick response to external changes. To enhance efficiency, enterprises must share data with third parties. The use of APIs to facilitate communication between systems is an important means for internal and external system integration within enterprises. An increasing number of enterprises are opening up their capabilities and resources by using API platforms to build industrial ecosystems. This way, partners can leverage freely available and high-quality resources for rapid integration and innovation, which helps promote the birth of the API economy and generate more value from data exchanges. An important task of enterprises is to provide a large number of API services and value-added data services. However, with the rapid development of APIs, risks are also increasing. Unauthorized access to APIs by attackers, configuration errors, and illegitimate API access requests can lead to sensitive data leaks. To mitigate the risks, WAF monitors APIs and visualizes traffic to automatically identify and categorize API assets, and establishes models for legitimate access requests. This enables prompt identification and response to abnormal API access and ensures a handling loop.

Core benefits

The API security module can automatically identify APIs and detect API risks and attacks to meet your core requirements.

  • Detects all APIs that are required by your business. The API security module supports custom detection policies to help your security team configure comprehensive security protection for all APIs.

  • Detects API risks, such as unauthorized access, weak passwords, and API designs that do not comply with security conventions.

  • Detects API attacks, such as sensitive data thefts, API data crawling, brute-force attacks, dictionary attacks, and message flooding. This allows you to handle attacks and avoid business loss at the earliest opportunity.

Check the API security status

Before you enable the API security module, you can use basic detection to obtain security information about your APIs, including Security Event Overview, Total API Assets, and Security Events. By default, the basic detection module is enabled for subscription WAF 3.0 instances free of charge. The basic detection module analyzes WAF logs offline and displays API asset statistics, abnormal event statistics, and the latest 10 abnormal API calls.

If you do not want to obtain basic detection data, you can skip this operation.

Note
  • The basic detection module is unavailable for pay-as-you-go WAF 3.0 instances.

  • The display of the basic detection data and detection results may have latency. The detection capabilities of the basic detection module are not as strong as those of the API security module. As a result, the information obtained from the two modules may differ. The detection results of the API security module are more accurate.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Configuration > API Security.

  3. In the Basic Detection section, view basic detection data.

    • Security Event Overview: displays the total number of API security events, and the numbers of high-risk, medium-risk, and low-risk API security events.

    • API Asset Overview: displays the total number of API assets, the number of active APIs, and the number of deactivated APIs.

    • Security Events: displays the names, API paths, domain names, attack sources, and occurrence time of security events.

    The basic detection module does not provide detailed data. If you want to view the number of APIs that transfer sensitive data or view risk details and risk handling suggestions for security events, you can enable the API security module. For more information, see Enable the API security module.

Feature description

The API security module automatically sorts the APIs of services that are protected by WAF and detects API security risks based on a built-in detection mechanism and custom detection policies. The module allows you to monitor cross-border transfers of sensitive data and trace sensitive data leaks. This can help you configure comprehensive management and security protection policies for your APIs. In addition to the statistics on the Overview tab, the API security module provides information on asset management, risks and events, compliance check and tracing and auditing, and policy configurations.

  • The asset management feature supports the query, statistics, and management of asset information.

  • The risks and events feature supports data query and statistics on risk detection, security events, and overall data.

  • If you want to transfer data to regions outside the Chinese mainland, you must apply to the national cyberspace administration through the local provincial cyberspace administration to arrange for a security assessment of the cross-border data transfer. You can use the compliance check and tracing and auditing features of the API security module to check and trace cross-border data transfer. The features are supported only in the Chinese mainland.

  • The policy configurations feature allows you to configure policies for risk detection, security events, sensitive data, authentication credentials, business purposes, lifecycle management, applicable objects, and log subscription. You can enable or disable the policies based on your business requirements. The feature supports built-in policies. You can also configure custom policies.

The following table describes the tabs on the API Security page and the features of the API Security module.

Tab

Feature

Description

Overview

-

This tab displays API asset trends, risk trends, risky site statistics, attack trends, statistics on attacked sites, statistics on sensitive data types in requests, and statistics on sensitive data types in responses.

Asset Management

Asset management

This feature analyzes access logs offline to automatically detect APIs and identify the reasons why APIs are called based on API characteristics.

Risk Detection

Risks and events

This feature detects various security risks, such as unauthorized access and sensitive data leaks, and provides risk analysis results and suggestions on how to handle the security risks.

Security Events

Risks and events

This feature monitors and analyzes API calls to quickly detect abnormal requests and attacks.

Compliance Check

Compliance check and tracing and auditing

The compliance check feature identifies risks that are associated with cross-border data transfer operations based on the Measures for the Security Assessment of Outbound Data Transfer. The API security module checks the compliance of transfer operations in the following scenarios:

  • A critical information infrastructure operator or data processor that has processed the personal information of more than one million people provides personal information outside the Chinese mainland.

  • A data processor that has provided the personal information of more than 100,000 people or the sensitive personal information of more than 10,000 people in total since January 1 of the previous year provides personal information outside the Chinese mainland.

Tracing and Auditing

Compliance check and tracing and auditing

The tracing and auditing feature performs cross-validation on security events by using logs and sensitive data samples when sensitive data security events occur.

Policy Configurations

Policy configurations

This feature supports built-in detection policies and allows you to configure custom detection policies. This increases the detection accuracy and recall rate of the API security module. You can also enable other features of the API security module for specific protected objects.

Enable the API security module

Preparations

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

Note

The API security module is unavailable for protected objects that are added after you add Microservices Engine (MSE) instances or Function Compute-related domain names to WAF.

Procedure

Important
  • Data computing and analysis are performed offline. The API security module does not actively detect APIs and does not affect your workloads.

  • The API security module detects responses that have specific characteristics and determines whether data leaks occurred. After you enable the API security module, WAF is authorized to analyze the responses. Enable the API security module based on your business requirements.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Configuration > API Security.

  3. Enable the API security module.

    • Apply for a free trial of the API security module

      Note
      • You can apply for a free trial of the API security module only if you use a WAF Pro, Enterprise, or Ultimate instance. Each Alibaba Cloud account can apply for the free trial only once.

      • The free trial is valid for seven days. The security analysis results that are generated during the trial period are available only during the trial period. If you want to retain the security analysis results, enable the API security module before the trial period ends.

      On the API Security page, click Try Now. On the page that appears, fill out the application and click Submit.

      After Alibaba Cloud engineers receive your trial application, they will contact you within one week based on the contact information that you submit to confirm information that is related to your application. After your trial application is approved, the API security module is automatically enabled for your WAF instance.

    • Enable the API security module

      1. On the API Security page, click Enable Now.

      2. In the Enable Now panel, set the API Security parameter to Enable, click Buy Now, and then complete the payment.

View API security data

On the Overview tab of the API Security page, you can view the following information: API Asset Trend, Risk Trend, Risky Site Statistics, Attack Trend, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types. The default statistical period is 30 days.

截屏2024-05-09 18

Supported query and filter operations

  • In the API Asset Trend, Risk Trend, and Attack Trend sections, you can click a legend item such as Total API Assets and Active APIs below a chart to filter data and view the data that you are interested in.

  • In the Risky Site Statistics, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types sections, you can sort data in ascending or descending order.

  • To view more information about risk detection, you can click More in the upper-right corner of the Risky Site Statistics section to go to the related tab. You can also click a number in the section to go to the related tab and view detailed data that meets the filter conditions.

  • To view more information about security events, you can click More in the upper-right corner of the Statistics on Attacked Sites section to go to the related tab. You can also click a number in the section to go to the related tab and view detailed data that meets the filter conditions.

  • To view more information about asset management, you can click More in the upper-right corner of the Statistics on Request Sensitive Data Types or Statistics on Response Sensitive Data Types section. You can also click a number in the section to go to the related tab and view detailed data that meets the filter conditions.

FAQ

You can use CloudMonitor to configure monitoring and alerting for API security events. This allows WAF to send alert notifications to you when high-risk events are detected and helps you monitor the status of your API assets. For more information, see Configure CloudMonitor notifications.

  • What are the purposes of API calls that are classified by the API security module?

    The API security module classifies APIs by purpose to help you identify the APIs of different features, such as the logon APIs, registration APIs, and text message sending APIs. This allows you to manage APIs by purpose and provides support for the detection of security risks and events in different scenarios. For example, if you want to detect the risk of brute-force attacks on accounts, you must identify logon APIs. The API security module also allows you to specify a custom purpose for an API and select multiple purposes to display related APIs. The purpose of an API is identified by matching the characteristics of the API path and the parameter names that are used in the API calls. The following table describes the built-in purposes supported by the API security module.

    Purpose

    Account Password-based Logon

    Mobile Verification Code-based Logon

    Email Verification Code-based Logon

    WeChat Logon

    Alipay Logon

    OAuth Authentication

    OIDC Authentication

    SAML Authentication

    SSO Authentication

    Logon

    Logoff

    Account Password-based Registration

    Mobile Verification Code-based Registration

    Email Verification Code-based Registration

    WeChat Registration

    Alipay Registration

    Registration Service

    Short Message Sending

    Mail Sending

    Password Reset

    Verification Code Verification

    Status Check

    Order Query

    Order Export

    Order Update

    Order Payment

    Log Query

    Log Reporting

    Log Export

    Log Service

    GraphQL

    SQL Service

    File Upload

    File Download

    File Service

    Background Management

    Dashboard

    Monitoring Service

    Information Sending

    Data Check

    Data Query

    Data Upload

    Data Download

    Data Addition

    Data Modification

    Data Update

    Data Sharing

    Data Deletion

    Data Synchronization

    Data Submission

    Data Copy

    Data Auditing

    Data Saving

    Cancel

    Start

    Batch Processing

    Suspension

    Add

    Debugging

    Settings

    Close

  • What are the objects for which APIs are called to provide services?

    The API security module allows you to view APIs by service object. For example, you can distinguish whether an API is intended for an internal-facing service or an external-facing service. Service objects are identified based on the naming conventions of APIs and the analysis of access source concentration. APIs are called to provide services for the following service objects:

    • Internal Office: The API is called to provide services to internal employees.

    • Cooperation with Third-party Partner: The API is called to provide services to third-party ecosystem partners.

    • Public Service: The API is called to provide Internet-facing services.

  • What types of sensitive data can be detected by the API security module?

    The detection model detects different types of sensitive data from the request and response content of an API call. The data sensitivity can be classified into the following levels in ascending order: S1, S2, S3, and S4. The sensitivity levels are in compliance with the practices of Data Security Center (DSC).

    The following table describes the sensitive data types, sensitivity levels, and data categories.

    Sensitive data type

    Sensitivity level

    Category

    ID card number (Chinese mainland)

    S3

    Personal information and personal sensitive information

    Debit card number

    S3

    Personal information and personal sensitive information

    Name in simplified Chinese

    S2

    Personal information

    Address (Chinese mainland)

    S2

    Personal information

    Mobile phone number (Chinese mainland)

    S2

    Personal information

    Email address

    S2

    Personal information

    Passport number (Chinese mainland)

    S3

    Personal information and personal sensitive information

    Permit number of the exit-entry permit for travelling to and from Hong Kong and Macao

    S3

    Personal information and personal sensitive information

    License plate number (Chinese mainland)

    S2

    Personal information

    Phone number (Chinese mainland)

    S2

    Personal information

    Military officer card ID

    S3

    Personal information and personal sensitive information

    Gender

    S2

    Personal information

    Ethnicity

    S2

    Personal information

    Province (Chinese mainland)

    S1

    /

    City (Chinese mainland)

    S1

    /

    ID card number (Hong Kong, China)

    S3

    Personal information and personal sensitive information

    Name in traditional Chinese

    S2

    Personal information

    Name in English

    S2

    Personal information

    ID card number (Malaysia)

    S3

    Personal information and personal sensitive information

    ID card number (Singapore)

    S3

    Personal information and personal sensitive information

    Credit card number Loan bank card

    S3

    Personal information and personal sensitive information

    SwiftCode SWIFT Code

    S1

    /

    SSN

    S3

    Personal information and personal sensitive information

    Telephone number (the United States)

    S2

    Personal information

    Religion

    S3

    Personal information and personal sensitive information

    IP address

    S2

    Personal information

    MAC address

    S2

    Personal information

    Java Database Connectivity (JDBC) connection string

    S3

    Personal information and personal sensitive information

    Privacy Enhanced Mail (PEM) certificate

    S2

    Personal information and personal sensitive information

    Private key

    S3

    Personal information and personal sensitive information

    AccessKey ID

    S3

    Personal information and personal sensitive information

    AccessKey Secret

    S3

    Personal information and personal sensitive information

    IPv6 address

    S2

    Personal information

    Date

    S1

    /

    IMEI

    S2

    Personal information

    MEID

    S2

    Personal information

    Linux-Passwd file

    S3

    /

    Linux-Shadow file

    S3

    /

    URL

    S1

    /

    Business license number

    S1

    /

    Tax registration certificate number

    S1

    /

    Organization code

    S1

    /

    Unified social credit code

    S1

    /

    Vehicle identification number

    S2

    /

  • What are the sensitivity levels of the API security module?

    The sensitivity levels of APIs are classified into high sensitivity, moderate sensitivity, low sensitivity, and non-sensitive. The following list describes the rules for classifying API sensitivity levels.

    • High sensitivity: The response of an API contains data types of the S3 level or higher, or more than 20 sensitive data entries of the S2-level data types are returned at the same time.

    • Moderate sensitivity: The response of an API contains data types of the S2 level.

    • Low sensitivity: The response of an API contains data types of the S1 level.

    • Non-sensitive: The response of an API does not contain sensitive data.

  • What types of API risks can be detected by the API security module?

    Category

    Risk type

    Risk level

    Risk description

    Suggestion

    Security and Specifications

    Insecure HTTP Methods

    Low

    The API risk detection model detects that the API uses insecure HTTP methods. Attackers may use such methods to detect server information or directly manipulate server data. For example, attackers may use the PUT method to upload malicious files and use the DELETE method to delete server resources.

    We recommend that you transform the API based on your business requirements and disable insecure HTTP methods such as PUT, DELETE, TRACE, and OPTIONS.

    JWT Weak Signature Algorithm

    Low

    The API risk detection model detects that the API uses a weak signature algorithm for a JSON Web Token (JWT).

    We recommend that you use a secure signature algorithm such as RS256 to ensure the key strength and security of keys during transmission and storage.

    Parameter as URL

    Low

    The API risk detection model detects that a request parameter of the API is set to a URL link. Attacks such as server-side request forgery (SSRF) attacks may occur.

    We recommend that you transform the API based on your business requirements to prevent the direct use of user-controlled URLs in parameters. You must strictly limit the parameter content and filter out invalid characters.

    Account Security

    Password Plaintext Transmission

    Low

    The API risk detection model detects that account passwords are sent in plaintext. Attackers can use eavesdropping and similar tactics to intercept and steal user credentials during transmission. This can result in account theft.

    We recommend that you encrypt or hash the password field before transmission to prevent interception and theft from attackers.

    Weak Password Tolerance

    Low

    The API risk detection model detects that the logon API has weak passwords. Attackers may perform brute-force attacks to steal accounts.

    We recommend that you increase the password strength. The password must be at least 8 characters in length and contain at least 3 of the following types of characters: uppercase letters, lowercase letters, digits, and special characters. We also recommend that you notify users who have weak passwords to change their passwords at the earliest opportunity.

    Weak Password Vulnerability in Internal Application

    High

    The API risk detection model detects that weak passwords are used in the logon API for internal applications. Attackers may steal accounts by using brute-force attacks.

    We recommend that you increase the password strength. The password must be at least 8 characters in length and contain at least 3 of the following types of characters: uppercase letters, lowercase letters, digits, and special characters. We also recommend that you notify users who have weak passwords to change their passwords at the earliest opportunity.

    Presence of Default Passwords

    Medium

    The API risk detection model detects that default passwords are used in applications associated with the API. Attackers can use the default passwords to access accounts whose passwords remain unchanged.

    We recommend that you notify users of applications who use default passwords to change the default passwords upon their first logon. For users of existing accounts who still use default passwords, we recommend that you notify the users to change their passwords at the earliest opportunity.

    Return of Plaintext Password

    Low

    The API risk detection model detects that the response of the API contains plaintext passwords. Attackers can use eavesdropping and similar tactics to intercept and steal user credentials during transmission. This can result in account theft.

    We recommend that you transform the API based on your business requirements to prevent the API from returning plaintext password information.

    Password Storage in Cookies

    Low

    The API risk detection model detects that the cookie of the API stores the account password information, which can be easily stolen by attackers.

    We recommend that you transform the API based on your business requirements to prevent important and sensitive information, such as accounts and secrets, from being stored in cookies.

    Unrestricted Logon

    Medium

    The API risk detection model detects that no CAPTCHA mechanism is provided. Attackers can exploit this vulnerability to perform unlimited brute-force attacks on account passwords.

    We recommend that you implement CAPTCHA measures, especially when multiple logon failures occur. You can enable CAPTCHA verification to prevent brute-force attacks.

    Unreasonable Logon Failure Prompt

    Low

    The API risk detection model detects that logon failure messages may reveal information about the existence of accounts. Attackers can exploit the messages to enumerate existing accounts and launch attacks or obtain business-critical data such as user registration quantity.

    We recommend that you configure the system to display a message such as "Invalid username or password" when logon failures occur, instead of messages such as "Username does not exist", which may disclose account registration information.

    URL-based Account Password Transmission

    Medium

    The API risk detection model detects that account passwords are sent in plaintext by using URLs. Unauthorized access to URLs can result in credential leaks. URLs may be exposed in logs, Referers, or browser history data.

    We recommend that you use the POST method to transfer confidential data in the request body.

    Access Control

    Internal Application Accessible from the Internet

    Low

    The API risk detection model detects that the API is used by internal applications and can be accessed over the Internet, and no access restrictions are implemented. Internal applications that are exposed to the Internet may be maliciously exploited or attacked by attackers.

    We recommend that you configure access control policies. For example, you can configure an IP address whitelist to limit access sources.

    Unrestricted Access Sources

    Low

    The API risk detection model detects that some access sources of the API do not meet the baseline requirements. Access source can be IP addresses or regions.

    We recommend that you configure access control policies. For example, you can configure IP address blacklists or IP address whitelists, or region blacklists to limit access sources.

    Unrestricted Access Tools

    Low

    The API risk detection model detects that the clients used to access the API do not meet the baseline requirements.

    We recommend that you configure access control policies to limit access by clients. This helps prevent attackers from using malicious clients to attack the API or crawl data.

    Unrestricted Access Rate

    Low

    The API risk detection model detects that a single IP address is used to access the API at a high frequency. In this case, you can configure access control policies to restrict high-frequency access and prevent unauthorized calls to the API.

    We recommend that you configure access control policies to restrict high-frequency access.

    Permission Management

    Weak Authentication Credential

    Medium

    The API risk detection model detects that the authentication credentials of the API do not have sufficient randomness, and therefore brute-force attacks can easily be performed on the API. This may result in unauthorized or privilege-escalated exploitation of the API.

    We recommend that you enhance the randomness of authentication credentials to prevent credentials that are excessively short in length or have obvious format patterns.

    Unauthenticated Access to Sensitive API

    High

    The API risk detection model detects that the API contains highly sensitive data and the data can be accessed without authorization. This may result in sensitive data leaks.

    We recommend that you add a strict and complete authentication mechanism to prevent unauthorized or privilege-escalated exploitation of the API.

    Unauthorized Access to Internal API

    High

    The API risk detection model detects that the API is used by internal applications and can be accessed without authorization. This may result in unauthorized use of internal applications or internal data leaks.

    We recommend that you add a strict and complete authentication mechanism to prevent unauthorized or privilege-escalated exploitation of the API.

    URL-based Credential Transmission

    Medium

    The API risk detection model detects that authentication credential information is sent by using URLs. Unauthorized access to URLs can result in the risk of authorization misuse. URLs may be exposed in logs, Referers, or browser history data.

    We recommend that you use other methods to pass authentication credentials, such as custom headers, cookies, and bodies.

    AccessKey Pair Information Leak

    High

    The API risk detection model detects that AccessKey IDs and AccessKey secrets are returned, which may be exploited by attackers.

    We recommend that you transform the API based on your business requirements to prevent AccessKey pair information from being returned. The leaked AccessKey pairs must be disabled or deleted.

    Data Protection

    Excessive Types of Sensitive Data in Response

    Medium

    The API risk detection model detects that the response of the API contains an excessively large number of sensitive data types. This may result in the unnecessary exposure of data, which can lead to data leaks.

    We recommend that you confirm the necessity of returning all data types based on your business requirements, mask important sensitive data, and delete unnecessary data types.

    Excessive Sensitive Data in Response

    Medium

    The API risk detection model detects that the response of the API contains sensitive data and the amount of returned data is not limited. This may lead to substantial data leaks.

    We recommend that you limit the amount of data returned at a time based on your business requirements to prevent attackers from using the API to obtain a large amount of sensitive data.

    Inadequate Data De-identification

    Medium

    The API risk detection model detects that the response of the API contains original and masked versions of data at the same time.

    We recommend that you identify risks based on sample data. For masked data, take measures to ensure that the data is not exposed in plaintext.

    Leak of Sensitive Server Information

    High

    The API risk detection model detects that the response of the API contains sensitive information about servers. Attackers may use the sensitive information to attack the servers and obtain control permissions.

    We recommend that you perform troubleshooting based on sample data and check whether data is returned as expected. Do not allow data to be directly returned to the frontend.

    Internal IP Address Leak

    Medium

    The API risk detection model detects that the response of the API may contain internal IP addresses. Attackers may use the IP addresses to attack internal applications.

    We recommend that you transform the API based on your business requirements to prevent leaks of internal network information.

    URL-based Sensitive Data Transmission

    Medium

    The API risk detection model detects that highly sensitive data is sent by using URLs. Unauthorized access to URLs can result in sensitive data leaks. URLs may be exposed in logs, Referers, or browser history data.

    We recommend that you use the POST method to transfer sensitive data in the request body.

    API Design

    Request Parameter Traversability

    Low

    The API risk detection model detects that the format of request parameters is fixed and can be easily constructed. Attackers may exploit this vulnerability to enumerate parameter values and extract data in bulk.

    We recommend that you increase the randomness of parameters based on your business requirements. This helps prevent reliance on simple, predictable values, such as short numeric values, which can be easily compromised.

    Modifiable Volume of Returned Data

    Low

    The API risk detection model detects that a request parameter is used to specify the number of items returned and can be modified to any value. Attackers can exploit this vulnerability to retrieve a large amount of data in a single request.

    We recommend that you implement parameter value limits based on your business requirements and provide only a few optional values. This helps prevent the API from being maliciously exploited to obtain a large amount of data.

    Database Query

    High

    The API risk detection model detects that a request parameter contains query statements. Attackers may exploit the API to execute arbitrary database operations to attack databases or steal important data.

    We recommend that you transform the API based on your business requirements to prevent database query statements from being passed. You must strictly limit the parameter content and filter out invalid characters.

    Command Execution API

    High

    The API risk detection model detects that a request parameter contains command execution statements. Attackers can exploit the API to execute arbitrary system commands to control servers or steal important data.

    We recommend that you transform the API based on your business requirements to prevent command statements from being passed. You must strictly limit the parameter content and filter out invalid characters.

    Arbitrary Short Message Sending

    Medium

    The API risk detection model detects that the request parameters of the short message-sending API contain phone numbers and suspected text message content to be sent. Attackers may exploit the API to send malicious text messages to specified phone numbers.

    We recommend that you transform the API based on your business requirements and use fixed templates to configure the content to be sent.

    Arbitrary Email Content Sending

    Medium

    The API risk detection model detects that the request parameters of the email-sending API contain email addresses and suspected email content to be sent. Attackers can exploit the API to send malicious emails to specified addresses.

    We recommend that you transform the API based on your business requirements and use fixed templates to configure the content to be sent.

    Leak of Short Message Verification Code

    High

    The API risk detection model detects that the response parameter of the text message-sending API may contain verification codes. Attackers may use the API to obtain verification codes and bypass the text message verification mechanism.

    We recommend that you transform the API based on your business requirements to prevent verification codes from being returned to the frontend. The codes must be verified at the backend.

    Email Verification Code Leak

    High

    The API risk detection model detects that the response parameter of the email-sending API may contain verification codes. Attackers may use the API to obtain verification codes and bypass the email verification mechanism.

    We recommend that you transform the API based on your business requirements to prevent verification codes from being returned to the frontend. The codes must be verified at the backend.

    Specified File Download

    Medium

    The API risk detection model detects that the request parameter of the file download API contains file paths. Attackers can modify the parameter to download files and steal important data.

    We recommend that you transform the API based on your business requirements to prevent direct download of files from complete file paths. You must strictly limit the parameter content and filter out invalid characters to prevent attackers from downloading arbitrary files by using the API.

    Application Exception Information Leak

    Medium

    The API risk detection model detects that the response of the API contains application exception information. Attackers may obtain sensitive information such as server application configurations from the returned exception information.

    We recommend that you optimize the service exception handling mechanism. When an exception occurs, the specified content is returned or you are redirected to the specified page. This prevents application information leaks due to direct return of exception information.

    Database Exception Information Leak

    Medium

    The API risk detection model detects that the response of the API contains database exception information. Attackers may use the database exception information to obtain information such as SQL statements, database names, and table names and then launch attacks such as SQL injection.

    We recommend that you optimize the service exception handling mechanism. When an exception occurs, the specified content is returned or you are redirected to the specified page. This prevents database information leaks due to direct return of exception information.

    Custom

    Custom risk detection rule

    Custom level

    The API risk detection model detects that the API triggers the custom risk detection rule.

    The configurations that you specify for the policy is displayed.

  • What types of exception events can be detected by the API security module?

    Category

    Event type

    Event description

    Suggestion

    Baseline Exception

    Abnormal High-frequency Access

    An API is frequently called. The request rate is higher than the daily distribution baseline of request frequencies. Malicious activities, such as API abuses and HTTP flood attacks, may occur.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.

    Access to Internal API from Unusual IP Address

    An API is called from IP addresses that deviate from the daily distribution baseline of IP addresses. Abnormal calls may occur.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you configure an IP address whitelist based on the daily distribution baseline of IP addresses to block access from IP addresses not included in the whitelist and ensure the reasonable use of API resources.

    Access to Internal API from Unusual Location

    An API is called from IP address locations that deviate from the daily distribution baseline of IP address locations. Abnormal calls may occur.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you configure a region blacklist based on the daily distribution baseline of IP address locations to ensure the reasonable use of API resources.

    Access using Anomalous Tools

    An API is accessed from clients that deviate from the daily distribution baseline of clients. Abnormal calls may occur.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you configure access control policies based on the daily distribution baseline of clients or enable the bot management module to ensure the reasonable use of API resources.

    Access During Unusual Time Period

    An API is called during an unusual time period. Abnormal calls may occur.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses.

    Access using Abnormal Parameter Values

    The format of request parameters deviates from the regular pattern. Abnormal calls or attacks may occur.

    We recommend that you perform troubleshooting based on sample data and log details. You can configure an IP address blacklist to block malicious IP addresses. If web attacks are confirmed, we recommend that you use protection modules in WAF to ensure the reasonable use of API resources.

    Account Risk

    Weak Password-based Logon to Internal Application

    The logon from the IP address to the internal application is suspected of using a weak password.

    We recommend that you check whether the logon is successful based on log details. We recommend that you increase the password strength. The password must be at least 8 characters in length and contain at least 3 of the following types of characters: uppercase letters, lowercase letters, digits, and special characters. We also recommend that you notify users who have weak passwords to change their passwords at the earliest opportunity.

    Brute-force Attack Against Username

    Frequent logon attempts are initiated from the same IP address. A consistent password and constantly changing usernames are used. Brute-force attacks against usernames may occur.

    We recommend that you check whether the logon is successful based on log details, change the password on a regular basis, and ensure that weak passwords are not used. We also recommend that you implement CAPTCHA measures to limit the number of logon attempts or configure rate limiting policies to ensure the reasonable use of API resources.

    Brute-force Attack Against Password

    Frequent logon attempts are initiated from the same IP address. A consistent username and constantly changing passwords are used. Brute-force attacks against passwords may occur.

    We recommend that you check whether the logon is successful based on log details, change the password on a regular basis, and ensure that weak passwords are not used. We also recommend that you implement CAPTCHA measures to limit the number of logon attempts or configure rate limiting policies to ensure the reasonable use of API resources.

    Dictionary Attack

    Frequent logon attempts are initiated from the same IP address, and a large number of accounts are used. Dictionary attacks may occur.

    We recommend that you check whether the logon is successful based on log details, change the password on a regular basis, and ensure that weak passwords are not used. We also recommend that you implement CAPTCHA measures to limit the number of logon attempts or configure rate limiting policies to ensure the reasonable use of API resources.

    Brute-force Attack Against Short Message Verification Code

    Frequent attempts are initiated from the same IP address to verify text message verification codes. A large number of verification codes are used. Brute-force attacks against text message verification codes may occur.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.

    Brute-force Attack Against Email Verification Code

    Frequent attempts are initiated from the same IP address to verify email verification codes, and a large number of verification codes are used. Brute-force attacks against email verification codes may occur.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.

    Batch Registration

    A large number of registration requests are sent from the same IP address. Bulk account registrations may occur, and numerous spam accounts may be generated.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.

    API Abuse

    Malicious Consumption of Short Message Resources

    A large number of message-sending requests are sent from the same IP address. Text message resource abuse or message flooding may occur. This may result in business loss.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you limit the frequency of text messages sent from a single mobile number and configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.

    Malicious Consumption of Email Resources

    A large number of email-sending requests are sent from the same IP address. Email resource abuse or mail flooding may occur. This may compromise the stability of email services.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you limit the frequency of emails sent from a single email address and configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.

    Batch Download

    A large number of data export or download requests are sent from the IP address, and a large amount of file data is exported or downloaded. Data leaks may occur.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.

    Data Crawling

    An API is frequently called from the same IP address, and parameter traversal is suspected. Data crawling may occur.

    We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We recommend that you increase the randomness of parameters based on your business requirements. This helps prevent reliance on simple, predictable values, such as short numeric values, which can be easily compromised.

    API Attack

    Web attacks are initiated from the IP address, and all attacks are blocked by protection modules.

    We recommend that you analyze IP address behavior based on log details. You can configure an IP address blacklist to block malicious IP addresses.

    Sensitive Data Leak

    Unauthorized Access to Sensitive Data

    An API is called from the IP address, unauthorized access is suspected, and sensitive data is retrieved. Data leak risks may arise.

    We recommend that you troubleshoot issues based on log details. We also recommend that you implement a strict and complete authentication mechanism for important APIs to prevent unauthorized or privilege-escalated exploitation of the APIs.

    Mass Sensitive Data Access

    When an API is called from the IP address, a large number of entries of sensitive data are retrieved. Data leak risks may arise.

    We recommend that you troubleshoot issues based on log details. We also recommend that you mask important sensitive data and delete unnecessary data types. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies.

    Mass Sensitive Data Access by IP Addresses Outside China

    An API is called from IP addresses that originate from regions outside the Chinese mainland, and a large number of entries of sensitive data are retrieved. Data leak and compliance risks may arise.

    We recommend that you troubleshoot issues based on log details. Cross-border transmission of sensitive data may pose compliance risks. If cross-border transmission of sensitive data is required, we recommend that you conduct an evaluation and promptly proceed with security assessments or filings.

    Response Exception

    Return of Error Message

    When an API is called from the IP address, error messages may be returned and leaks of information such as application configurations may occur.

    We recommend that you perform troubleshooting based on log details to check whether the API runs as expected. We also recommend that you optimize the service exception handling mechanism. When an exception occurs, the specified content is returned or you are redirected to the specified page. This prevents application information leaks due to direct return of exception information.

    Return of Database Error Message

    When an API is called from the IP address, database error messages may be returned and leaks of information such as statements, database names, and table names may occur.

    We recommend that you perform troubleshooting based on log details to check whether the API runs as expected. We also recommend that you optimize the service exception handling mechanism. When an exception occurs, the specified content is returned or you are redirected to the specified page. This prevents database information leaks due to direct return of exception information.

    Return of Sensitive System Information

    When an API is called from the IP address, critical sensitive information about servers may be returned. Data leak risks may arise.

    We recommend that you perform troubleshooting based on log details to check whether data is returned as expected. Do not allow data to be directly returned to the frontend.

    Abnormal Response

    When an API is called from the IP address, the percentage of abnormal responses exceeds 80%. Origin servers may not run as expected.

    We recommend that you perform troubleshooting based on log details to check whether the API runs as expected.

    Custom Event

    Custom event detection policy

    When an API is called from the IP address, the access behavior matches the custom event detection policy.

    The configurations that you specify for the policy is displayed.

  • How does the API security module help enterprises reduce the risk of data leaks?

    The API security module detects API vulnerabilities, traces API exception events, and provides suggestions on how to handle vulnerabilities.

    Risk type

    Description

    API vulnerabilities

    Enterprises may expose internal APIs, such as APIs used for internal office work, development testing, and operations management, to the Internet. This exposure allows attackers to access and retrieve sensitive data by using the APIs.

    API exception events

    APIs may not function as expected in predefined business requirement and access scenarios.

  • What are the application criteria for security assessments and filings of cross-border data transfer? (supported only in the Chinese mainland)

    The following table describes the application criteria based on the Measures for the Security Assessment of Outbound Data Transfer.

    Evaluation type

    Evaluation result

    Since January 1 of last year, the cumulative number of natural persons whose personal information is transferred abroad is greater than 100,000.

    Requirements for applying for a security assessment are met.

    Since January 1 of last year, the cumulative number of natural persons whose personal sensitive information is transferred abroad is greater than 10,000.

    Since January 1 of last year, cross-border data transfer activities occurred, and the cumulative number of natural persons whose personal information is transferred abroad is greater than 1,000,000.

    Since January 1 of last year, the cumulative number of natural persons whose personal information is transferred abroad is less than 100,000.

    Requirements for applying for a security assessment are not met.

    Since January 1 of last year, the cumulative number of natural persons whose personal sensitive information is transferred abroad is less than 10,000.

    Since January 1 of last year, cross-border data transfer activities occurred, and the cumulative number of natural persons whose personal information is transferred abroad is less than 1,000,000.