How to configure the API security module - Web Application Firewall

The API security module is an independent module of Web Application Firewall (WAF) and requires separate payment. The API security module automatically sorts the APIs of services that are protected by WAF and detects API vulnerabilities based on a built-in detection mechanism and custom detection policies. These vulnerabilities include unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module allows you to trace API exception events, check the compliance of cross-border data transfer, trace sensitive data by using reports, and fix detected vulnerabilities. The module also provides data for API lifecycle management to help you identify and manage all APIs that are required by your business and improve the security of the APIs throughout the entire process of data flow. This topic describes how to configure the API security module.

Introduction

In the era of digital economy, enterprises face a rapidly changing environment that demands quick responses to external changes. To enhance efficiency, enterprises must share data with third parties. The use of APIs to facilitate communication between systems is an important means for internal and external system integration within enterprises. An increasing number of enterprises are opening up their capabilities and resources by using API platforms to build industrial ecosystems. Partners can leverage open and high-quality resources for rapid integration and innovation, which helps promote the birth of the API economy and generate more value from data exchanges. Enterprises face the important task of providing a large number of API services and value-added data services. However, with the rapid development of APIs, risks are also increasing. Unauthorized access to APIs by attackers, configuration errors, and illegitimate API access requests can lead to sensitive data leaks. To mitigate these risks, WAF monitors APIs and visualizes traffic to automatically identify and categorize API services, and establishes models for legitimate access requests. This enables prompt identification and response to abnormal API access and ensures a secure and efficient system.

Core benefits

The API security module can automatically identify APIs and detect API vulnerabilities and attacks to meet your core requirements.

Detects all APIs that are required by your business. The API security module also supports custom detection policies to help your security team configure comprehensive security protection for all APIs.
Detects API vulnerabilities, such as unauthorized access, weak passwords, and API designs that do not comply with the security conventions.
Detects API attacks, such as sensitive data thefts, API data crawling, brute-force attacks, dictionary attacks, and message flooding. This helps you handle attacks to avoid business loss at the earliest opportunity.

Check the API security status

Before you enable the API security module, you can use basic detection to obtain security information about your APIs, including the overviews of security events and API assets. By default, basic detection is enabled for subscription WAF 3.0 instances. The basic detection module analyzes WAF logs offline and displays API asset statistics, abnormal event statistics, and the latest 10 abnormal API calls.

If you do not want to obtain basic detection data, skip this step.

Note

Basic detection is unavailable for pay-as-you-go WAF 3.0 instances.
The display of the basic detection data and detection results may have a delay. The detection capabilities of the basic detection module are not as strong as those of the API security module. As a result, the information obtained from the two modules may differ. The detection results of the API security module are more accurate.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > API Security.
In the Basic Detection section, view basic detection data.
- Security Event Overview: displays the total number of API security events, and the number of high-risk, medium-risk, and low-risk API security events.
- API Asset Overview: displays the total number of API assets, the number of active APIs, and the number of deactivated APIs.
- Security Events: displays the names, API paths, domain names, attack sources, and occurrence time of the security events.
The basic detection module does not provide detailed data on API security and abnormal events. If you want to view the number of APIs that transfer sensitive data or view risk details and suggestions on how to handle security events, you can enable the API security module. For more information, see Enable the API security module.

Feature description

The API security module automatically sorts the APIs of services that are protected by WAF and detects API security risks based on a built-in detection mechanism and custom detection policies. The module allows you to monitor cross-border transfers of sensitive data and trace sensitive data leaks. This can help you configure comprehensive management and security protection policies for your APIs. In addition to the statistics on the Overview tab, the API security module also provides information on asset management, risks and events, compliance check and tracing and auditing, and security policy configuration.

The asset management feature supports the query, statistics, and management of asset information.
The risks and events feature supports data query and statistics on risk detection, security events, and overall data.
If you want to provide data to regions outside the Chinese mainland, you must apply to the national cyberspace administration for the security assessment of the cross-border data transfer through the local provincial cyberspace administration. You can use the compliance check and tracing and auditing features of the API security module to check and trace cross-border data transfer. The features are supported only in the Chinese mainland.
The policy configuration feature allows you to configure policies for risk detection, security events, sensitive data, authentication credentials, business purposes, lifecycle management, applicable objects, and log subscription. You can enable or disable the policies. In addition to the built-in policies, you can also configure custom policies.

The following table describes the seven features on four tabs.

Tab	Feature	Description
Overview	-	Displays API asset trends, risk trends, risky site statistics, attack trends, statistics on attacked sites, statistics on request sensitive data types, and statistics on response sensitive data types.
Asset Management	Asset management	Analyzes access logs offline to automatically detect APIs and identify the reasons why APIs are called based on API characteristics.
Risk Detection	Risks and events	Detects various security risks, such as unauthorized access and sensitive data leaks, and provides risk analysis and suggestions on how to handle the security risks.
Security Events	Risks and events	Monitors and analyzes API calls to quickly detect abnormal requests and attacks.
Compliance Check	Compliance check and tracing and auditing	Identifies risks that are associated with cross-border data transfer operations based on the Measures for the Security Assessment of Outbound Data Transfer. The API security module checks the compliance of transfer operations in the following scenarios: A critical information infrastructure operator or data processor that has processed the personal information of more than one million people provides personal information outside the Chinese mainland. A data processor that has provided the personal information of more than 100,000 people or the sensitive personal information of more than 10,000 people in total since January 1 of the previous year provides personal information outside the Chinese mainland.
Tracing and Auditing	Compliance check and tracing and auditing	Performs cross-validation on security events by using logs and sensitive data samples when sensitive data security events occur.
Policy Configurations	Policy configuration	Supports the configuration of custom detection policies based on business requirements. This increases the detection accuracy and recall rate of the API security module. This feature allows you to configure the API security module for a specific protected object.

Enable the API security module

Preparations

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

Note

The API security module is unavailable for APIs of the Microservices Engine (MSE) and Function Compute resources that are protected by WAF.

Procedure

Important

Data computing and analysis are performed offline. The API security module does not actively detect APIs and does not affect your workloads.
The API security module detects responses that have specific characteristics and determines whether data leaks occurred. After you enable the API security module, WAF is authorized to analyze the responses. Enable the API security module based on your business requirements.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > API Security.
Enable the API security module.
- Apply for a free trial of the API security module
  Note
  - Each Alibaba Cloud account can apply for the free trial only once.
  - The free trial is valid for seven days. The security analysis results that are generated during the trial period are available only during the trial period. If you want to retain the security analysis results, enable the API security module before the trial period ends.
  On the API Security page, click Try Now. On the page that appears, fill out the application and click Submit.
  After Alibaba Cloud engineers receive your trial application, they will contact you within one week based on the contact information that you submit and confirm information that is related to your application. After your trial application is approved, the API security module is automatically enabled for your WAF instance.
- Enable the API security module
  1. On the API Security page, click Enable Now.
  2. On the page that appears, set the API Security parameter to Enable, click Buy Now, and then complete the payment.

View API security data

On the Overview tab of the API Security page, you can view the following information: API Asset Trend, Risk Trend, Risky Site Statistics, Attack Trend, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types. The default statistical period is 30 days.

截屏2024-05-09 18

Supported query operations

In the API Asset Trend, Risk Trend, and Attack Trend sections, you can click the legends such as Total API Assets and Active APIs below a chart to view the data that interests you.
In the Risky Site Statistics, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types sections, you can sort the data in ascending or descending order.
To view more risk detection information, you can click More in the upper-right corner of the Risky Site Statistics section to go to the corresponding tab. You can also click a number in the section to go to the corresponding tab and view detailed data filtered by relevant conditions.
To view more information about security events, you can click More in the upper-right corner of the Statistics on Attacked Sites section to go to the corresponding tab. You can also click a number in the section to go to the corresponding tab and view detailed data filtered by relevant conditions.
To view more information about asset management, you can click More in the upper-right corner of the Statistics on Request Sensitive Data Types or Statistics on Response Sensitive Data Types section. You can also click a number in the section to go to the corresponding tab and view detailed data filtered by relevant conditions.

FAQ

You can use CloudMonitor to configure monitoring and alerting for API security events. This allows WAF to send alert notifications to you when high-risk events are detected and helps you monitor the status of your API assets at the earliest opportunity. For more information, see Configure CloudMonitor notifications.

For information about the capabilities of the API security module, see the following FAQs:

What are the purposes of API calls that are classified by the API security module?

The API security module classifies APIs by purpose to help you identify the APIs of different features, such as the logon APIs, registration APIs, and text message sending APIs. This allows you to manage APIs by purpose and provides support for the detection of security risks and events in different scenarios. For example, if you want to detect the risk of brute-force attacks on accounts, you must identify logon APIs. The API security module also allows you to specify a custom purpose for an API and select multiple purposes to display corresponding APIs. The API purpose is identified by matching the characteristics of the API path and the parameter names that are used in the API calls. The following table describes the built-in purposes supported by the API security module.

Purpose

Account Password-based Logon

Mobile Verification Code-based Logon

Email Verification Code-based Logon

WeChat Logon

Alipay Logon

OAuth Authentication

OIDC Authentication

SAML Authentication

SSO Authentication

Logon

Logoff

Account Password-based Registration

Mobile Verification Code-based Registration

Email Verification Code-based Registration

WeChat Registration

Alipay Registration

Registration Service

Short Message Sending

Mail Sending

Password Reset

Verification Code Verification

Status Checking Nodes

Order Query

Order Export

Order Update

Order Payment

Log Query

Log Reporting

Log Export

Log Service

GraphQL

SQL Service

File Upload

File Download

File Service

Background Management

Dashboard

Monitoring Service

Information Sending

Check parameter settings.

Data Query

Data Upload

Data Download

Data Addition

Data Modification

Data Update

Data Sharing

Data Deletion

Data Synchronization

Data Submission

Data Copy

Data Auditing

Data Saving

Cancel

Start

Batch Processing

Suspension

Add

Debugging

Settings

What are the objects for which APIs are called to provide services?
The API security module allows you to view APIs by service object. For example, an API is intended for an internal-facing service or an external-facing service. Service objects are identified based on the naming conventions of APIs and the analysis of access concentration. APIs are called to provide services for the following service objects:
- Internal Office: The API is called to provide services to internal employees.
- Cooperation with Third-party Partner: The API is called to provide services to third-party ecosystem partners.
- Public Service: The API is called to provide Internet-facing services.

What types of sensitive data can be detected by the API security module?

Sensitive data refers to the sensitive data types that are detected by the detection model from the request and response content of an API call. The data sensitivity can be classified into the following levels in ascending order: S1, S2, S3, and S4. The sensitivity level is consistent with the practices of Data Security Center (DSC).

The following table describes the sensitive data types and sensitivity levels.

Sensitive data type	Name in English	Sensitivity level	Category
ID card number (Chinese mainland)	ID Card Number (Chinese Mainland)	S3	Personal information and personal sensitive information
Debit card number	Debit Card	S3	Personal information and personal sensitive information
Name in simplified Chinese	Full Name (Simplified Chinese)	S2	Personal information
Address (Chinese mainland)	Address (Chinese Mainland)	S2	Personal information
Mobile phone number (Chinese mainland)	Mobile Number (Chinese Mainland)	S2	Personal information
Email address	Email Address	S2	Personal information
Passport number (Chinese mainland)	Passport Number (Chinese Mainland)	S3	Personal information and personal sensitive information
Permit number of the exit-entry permit for travelling to and from Hong Kong and Macao	Mainland Travel Permit for Hong Kong and Macao Residents	S3	Personal information and personal sensitive information
License plate number (Chinese mainland)	License Plate Number (Chinese Mainland)	S2	Personal information
Phone number (Chinese mainland)	Phone Number (Chinese Mainland)	S2	Personal information
ID of military officer card	Military Officer Card	S3	Personal information and personal sensitive information
Gender	Gender	S2	Personal information
Ethnicity	Ethnic Group	S2	Personal information
Province (Chinese Mainland)	Province (Chinese Mainland)	S1
City (Chinese Mainland)	City (Chinese Mainland)	S1
ID card number (Hong Kong, China)	ID Card Number (Hong Kong, China)	S3	Personal information and personal sensitive information
Name in traditional Chinese	Full Name (Traditional Chinese)	S2	Personal information
Name in English	Full Name (English)	S2	Personal information
ID card number (Malaysia)	ID Card Number (Malaysia)	S3	Personal information and personal sensitive information
ID card number (Singapore)	ID Card Number (Singapore)	S3	Personal information and personal sensitive information
Credit card number Loan bank card	Lending Bank Card	S3	Personal information and personal sensitive information
SwiftCode SWIFT Code	SWIFT Code	S1
SSN	SSN	S3	Personal information and personal sensitive information
Telephone number (the United States)	Telephone Number (United States)	S2	Personal information
Religion	Religious Belief	S3	Personal information and personal sensitive information
IP address	IP Address	S2	Personal information
MAC address	MAC Address	S2	Personal information
Java Database Connectivity (JDBC) connection string	JDBC Connection String	S3	Personal information and personal sensitive information
Privacy Enhanced Mail (PEM) certificate	PEM Certificate	S2	Personal information and personal sensitive information
Private key	Private Key	S3	Personal information and personal sensitive information
AccessKeyId	AccessKey ID	S3	Personal information and personal sensitive information
AccessKeySecret	AccessKey Secret	S3	Personal information and personal sensitive information
IPv6 address	IPv6 Address	S2	Personal information
Date	Date	S1
IMEI	IMEI	S2	Personal information
MEID	MEID	S2	Personal information
Linux-Passwd file	Linux Password File	S3
Linux-Shadow file	Linux Shadow File	S3
URL	URL	S1
Business license number	Business License Number	S1
Tax registration certificate number	Tax Registration Certificate Number	S1
Organization code	Organization Code	S1
Unified social credit code	Unified Social Credit Code	S1
Vehicle identification number	Vehicle Identification Number	S2

What are the sensitivity levels of the API security module?
The sensitivity levels of APIs are classified into high sensitivity, moderate sensitivity, low sensitivity, and non-sensitive. The following section describes the rules for classifying API sensitivity levels.
- High sensitivity: The response of an API contains data types of the S3 or higher level, or more than 20 sensitive data types of the S2 level are returned at the same time.
- Moderate sensitivity: The response of an API contains data types of the S2 level.
- Low sensitivity: The response of an API contains data types of the S1 level.
- Non-sensitive: The response of an API does not contain sensitive data.

What types of API risks can be detected by the API security module?

Category	Risk type	Level	Risk description	Suggestion
Security and Specifications	Insecure HTTP Methods	Low	The API risk detection model detects that the API uses insecure HTTP methods. Attackers may use such methods to detect server information or directly manipulate server data. For example, attackers may use the PUT method to upload malicious files and use the DELETE method to delete server resources.	We recommend that you transform the API based on your business requirements and disable insecure HTTP methods such as PUT, DELETE, TRACE, and OPTIONS.
	JWT Weak Signature Algorithm	Low	The API risk detection model detects that the API uses the weak signature algorithm in JSON Web Token (JWT).	We recommend that you use a secure signature algorithm such as RS256 to ensure the key strength and security of keys during transmission and storage.
	Parameter as URL	Low	The API risk detection model detects that the request parameter of the API is set to a URL link. Attacks such as server-side request forgery (SSRF) attacks may occur.	We recommend that you transform the API based on your business requirements to prevent the direct use of user-controlled URLs in parameters. You must strictly limit the parameter content and filter out invalid characters.
Account Security	Password Plaintext Transmission	Low	The API risk detection model detects that account passwords in plaintext are sent. Attackers can use eavesdropping and similar tactics to intercept and steal user credentials during transmission. This can result in account theft.	We recommend that you encrypt or hash the password field before transmission to prevent interception and theft from attackers.
	Weak Password Tolerance	Low	The API risk detection model detects that the logon API has weak passwords. Attackers may perform brute-force attacks to steal accounts.	We recommend that you increase the password strength. The password must be at least 8 characters in length and contain at least 3 types of the following characters: uppercase letters, lowercase letters, digits, and special characters. We also recommend that you notify users with weak passwords to change the passwords at the earliest opportunity.
	Weak Password Vulnerability in Internal Application	High	The API risk detection model detects that weak passwords are used in the logon API for internal applications. Attackers may steal accounts by using brute-force attacks.	We recommend that you increase the password strength. The password must be at least 8 characters in length and contain at least 3 types of the following characters: uppercase letters, lowercase letters, digits, and special characters. We also recommend that you notify users with weak passwords to change the passwords at the earliest opportunity.
	Presence of Default Passwords	Medium	The API risk detection model detects that default passwords are used in applications associated with the API. Attackers can use the default passwords to access accounts that have unchanged passwords.	We recommend that you notify users of applications that use default passwords to change the default passwords upon their first logon. For users of existing accounts, we recommend that you notify users to change their passwords.
	Return of Plaintext Password	Low	The API risk detection model detects that the response of the API contains plaintext passwords. Attackers can use eavesdropping and similar tactics to intercept and steal user credentials during transmission. This can result in account theft.	We recommend that you transform the API based on your business requirements to prevent the API from returning plaintext password information.
	Password Storage in Cookies	Low	The API risk detection model detects that the cookie of the API stores the account password information, which can be easily stolen by attackers.	We recommend that you transform the API based on your business requirements to prevent important and sensitive information, such as accounts and secrets, from being stored in cookies.
	Unrestricted Logon	Medium	The API risk detection model detects that a CAPTCHA mechanism is not provided. Attackers can exploit this vulnerability to perform unlimited brute-force attacks on account passwords.	We recommend that you implement CAPTCHA measures, especially when multiple logon failures occur. You can enable CAPTCHA verification to prevent brute-force attacks.
	Unreasonable Logon Failure Prompt	Low	The API risk detection model detects that logon failure messages may reveal information about the existence of accounts. Attackers can exploit the messages to enumerate existing accounts and launch attacks or obtain business-critical data such as user registration volume.	We recommend that you configure the system to display a message such as "Invalid username or password" when logon failures occur, instead of messages such as "Username does not exist", which may indicate that user accounts exist.
	URL-based Account Password Transmission	Medium	The API risk detection model detects that account passwords in plaintext are sent by using URLs. URLs may be exposed in logs, Referers, or browser history. Unauthorized access to URLs can result in credential leaks.	We recommend that you use the POST method to transfer confidential data in the request body.
Access Control	Internal Application Accessible from the Internet	Low	The API risk detection model detects that the API is used by internal applications and can be accessed over the Internet, and no access restrictions are implemented. Internal applications are exposed to the Internet and may be maliciously exploited or attacked by attackers.	We recommend that you configure access control policies. For example, you can configure an IP address whitelist to limit access sources.
	Unrestricted Access Sources	Low	The API risk detection model detects that the routine access sources of the API do not meet the baseline. The routine access source can be an IP address or a region.	We recommend that you configure access control policies. For example, you can configure IP address blacklists or IP address whitelists, or region blacklists to limit access sources.
	Unrestricted Access Tools	Low	The API risk detection model detects that the clients used to access the API do not meet the baseline.	We recommend that you configure access control policies to limit access clients. This helps prevent attackers from using malicious clients to attack the API or crawl data.
	Unrestricted Access Rate	Low	The API risk detection model detects that the routine access frequency for the API is high for a single IP address. In this case, you can configure access frequency restriction policies to prevent unauthorized calls to the API.	We recommend that you add a RAM protection policy to restrict high-frequency access.
Permission management	Weak Authentication Credential	Medium	The API risk detection model detects that the authentication credentials of the API do not have sufficient randomness and brute-force attacks can easily be performed on the API. This may result in unauthorized or privilege-escalated exploitation of the API.	We recommend that you enhance the randomness of authentication credentials to prevent credentials that are excessively short in length or have obvious format characteristics.
	Unauthenticated Access to Sensitive API	High	The API risk detection model detects that the API contains highly sensitive data. The data can be accessed without authorization. This may result in sensitive data leaks.	We recommend that you add a strict and complete authentication mechanism to prevent unauthorized or privilege-escalated exploitation of the API.
	Unauthorized Access to Internal API	High	The API risk detection model detects that the API is used by internal applications and can be accessed without authorization. This may result in unauthorized use of internal applications or internal data leaks.	We recommend that you add a strict and complete authentication mechanism to prevent unauthorized or privilege-escalated exploitation of the API.
	URL-based Credential Transmission	Medium	The API risk detection model detects that authentication credential information is sent by using URLs. URLs may be exposed in logs, Referers, or browser history. Unauthorized access to URLs can result in the risk of authorization misuse.	We recommend that you use other methods to pass authentication credentials, such as custom headers, cookies, and the request body.
	AccessKey Pair Information Leak	High	The API risk detection model detects that AccessKey IDs and AccessKey secrets are returned, which may be exploited by attackers.	We recommend that you transform the API based on your business requirements to prevent AccessKey pair information from being returned. The leaked AccessKey pairs must be disabled or deleted.
Data Protection	Excessive Types of Sensitive Data in Response	Medium	The API risk detection model detects that the response of the API contains an excessive variety of sensitive data types. This may result in the unnecessary exposure of data, which can lead to data leaks.	We recommend that you confirm the necessity of returning all data types based on your business requirements, mask important sensitive data, and delete unnecessary data types.
	Excessive Sensitive Data in Response	Medium	The API risk detection model detects that the response of the API contains sensitive data. The lack of restrictions on the volume of returned data may lead to leaks of substantial data.	We recommend that you limit the amount of data returned at a time based on your business requirements to prevent attackers from using the API to obtain a large amount of sensitive data.
	Inadequate Data De-identification	Medium	The API risk detection model detects that the response of the API contains desensitized and undesensitized versions of the same data at the same time.	We recommend that you identify risks based on the sample data. For de-identified data, measures must be taken to ensure that the de-identified data is not exposed in plaintext.
	Leak of Sensitive Server Information	High	The API risk detection model detects that the response of the API contains sensitive information about servers. Attackers may use the sensitive information to attack the servers and obtain control permissions.	We recommend that you perform troubleshooting based on log details to check whether the returned data is as expected. This prevents such data from being directly returned to the frontend.
	Internal IP Address Leak	Medium	The API risk detection model detects that the response of the API may contain internal IP addresses. Attackers may use the IP addresses to attack internal applications.	We recommend that you transform the API based on your business requirements to prevent leaks of internal network information.
	URL-based Sensitive Data Transmission	Medium	The API risk detection model detects that highly sensitive data is sent by using URLs. URLs may be exposed in logs, Referers, or browser history. Unauthorized access to URLs can result in sensitive data leaks.	We recommend that you use the POST method to transfer sensitive data in the request body.
API Design	Request Parameter Traversability	Low	The API risk detection model detects that the format of request parameters is fixed and can be easily constructed. Attackers may exploit this vulnerability to enumerate parameter values and extract data in bulk.	We recommend that you increase the randomness of parameters based on your business requirements. This helps prevent reliance on simple, predictable values, such as short numeric values, which can be easily compromised.
	Modifiable Volume of Returned Data	Low	The API risk detection model detects that a request parameter is used to specify the number of items returned and can be modified to any value. Attackers can exploit this vulnerability to retrieve a large amount of data in a single request.	We recommend that you implement parameter value limits based on your business requirements and provide only a few optional values. This helps prevent the API from being maliciously exploited to obtain a large amount of data.
	Database Query	High	The API risk detection model detects that a request parameter contains query statements. Attackers may exploit the API to execute arbitrary database operations to attack databases or steal important data.	We recommend that you transform the API based on your business requirements to prevent database query statements from being passed. You must strictly limit the parameter content and filter out invalid characters.
	Command Execution API	High	The API risk detection model detects that a request parameter contains command execution statements. Attackers can exploit the API to execute arbitrary system commands to control servers or steal important data.	We recommend that you transform the API based on your business requirements to prevent command statements from being passed. You must strictly limit the parameter content and filter out invalid characters.
	Arbitrary Short Message Sending	Medium	The API risk detection model detects that the request parameters of the short message-sending API contain phone numbers and suspected text message content to be sent. Attackers may exploit the API to send malicious text messages to specified phone numbers.	We recommend that you transform the API based on your business requirements and use fixed templates to configure the content to be sent.
	Arbitrary Email Content Sending	Medium	The API risk detection model detects that the request parameters of the email-sending API contain email addresses and suspected email content to be sent. Attackers can exploit the API to send malicious emails to specified addresses.	We recommend that you transform the API based on your business requirements and use fixed templates to configure the content to be sent.
	Leak of Short Message Verification Code	High	The API risk detection model detects that the response parameter of the text message-sending API may contain verification codes. Attackers may use the API to obtain verification codes and bypass the text message verification mechanism.	We recommend that you transform the API based on your business requirements to prevent verification codes from being returned to the frontend. The codes must be verified at the backend.
	Email Verification Code Leak	High	The API risk detection model detects that the response parameter of the email-sending API may contain verification codes. Attackers may use the API to obtain verification codes and bypass the email verification mechanism.	We recommend that you transform the API based on your business requirements to prevent verification codes from being returned to the frontend. The codes must be verified at the backend.
	Specified File Download	Medium	The API risk detection model detects that the request parameter of the file download API contains file paths. Attackers can modify the parameter to download files and steal important data.	We recommend that you transform the API based on your business requirements to prevent direct download of files from complete file paths. You must strictly limit the parameter content and filter out invalid characters to prevent attackers from downloading arbitrary files by using the API.
	Application Exception Information Leak	Medium	The API risk detection model detects that the response of the API contains application exception information. Attackers may obtain sensitive information such as server application configurations from the returned exception information.	We recommend that you optimize the service exception handling mechanism. When an exception occurs, the specified content is returned or you are redirected to the specified page. This prevents application information leakage due to direct return of exception information.
	Database Exception Information Leak	Medium	The API risk detection model detects that the response of the API contains database exception information. Attackers may use the database exception information to obtain information such as SQL statements, database names, and table names and then launch attacks such as SQL injection.	We recommend that you optimize the exception handling mechanism to return specific content or redirect to specific pages when an exception occurs. This helps prevent database information leaks caused by returned exception information.
Custom	Custom Detection Rules for Data Leak Risks	Custom level	The API risk detection model detects that the API triggers the custom risk detection rule.	The configurations that you specify for the policy is displayed.

What types of exception events can be detected by the API security module?

Category	Event type	Description	Suggestion
Baseline Exception	Abnormal High-frequency Access	An API is frequently called. The request rate is higher than the daily request frequency baseline. Malicious activities, such as API abuses and HTTP flood attacks, may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily request frequency baseline to ensure the reasonable use of API resources.
	Access to Internal API from Unusual IP Address	An API is called from IP addresses that deviate from the daily distribution baseline of IP addresses. Abnormal calls may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you configure an IP address whitelist based on the daily distribution baseline of IP addresses to block access from IP addresses not included in the whitelist and ensure the reasonable use of API resources.
	Access to Internal API from Unusual Location	An API is called from IP address locations that deviate from the daily distribution baseline of IP address locations. Abnormal calls may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you configure a region blacklist based on the daily distribution baseline of IP address locations to ensure the reasonable use of API resources.
	Access using Anomalous Tools	An API is accessed from clients that deviate from the daily distribution baseline of clients. Abnormal calls may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you configure access control policies or enable the bot management module based on the daily distribution baseline of clients to ensure the reasonable use of API resources.
	Access During Unusual Time Period	An API is called during an unusual time period. Abnormal calls may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses.
	Access using Abnormal Parameter Values	The format of request parameters deviates from the regular pattern. Abnormal calls or attacks may occur.	We recommend that you perform troubleshooting based on the sample data and log details. You can configure an IP address blacklist to block malicious IP addresses. If web attacks are confirmed, we recommend that you use protection modules in WAF to ensure the reasonable use of API resources.
Account Risk	Weak Password-based Logon to Internal Application	Weak passwords may be used to log on to internal applications from IP addresses.	We recommend that you check whether the logon is successful based on log details. We recommend that you increase the password strength. The password must be at least 8 characters in length and contain at least 3 types of the following characters: uppercase letters, lowercase letters, digits, and special characters. We also recommend that you notify users with weak passwords to change the passwords at the earliest opportunity.
	Brute-force Attack Against Username	Frequent logon attempts are performed from IP addresses. A consistent password and constantly changing usernames are used, and brute-force attacks against usernames may occur.	We recommend that you check whether the logon is successful based on log details, change the password on a regular basis, and ensure that weak passwords are not used. We also recommend that you implement CAPTCHA measures to limit the number of logon attempts or configure rate limiting policies to ensure the reasonable use of API resources.
	Brute-force Attack Against Password	Frequent logon attempts are performed from IP addresses. A consistent username and constantly changing passwords are used, and brute-force attacks against passwords may occur.	We recommend that you check whether the logon is successful based on log details, change the password on a regular basis, and ensure that weak passwords are not used. We also recommend that you implement CAPTCHA measures to limit the number of logon attempts or configure rate limiting policies to ensure the reasonable use of API resources.
	Dictionary Attack	Frequent logon attempts are performed from IP addresses. A large number of accounts are used, and dictionary attacks may occur.	We recommend that you check whether the logon is successful based on log details, change the password on a regular basis, and ensure that weak passwords are not used. We also recommend that you implement CAPTCHA measures to limit the number of logon attempts or configure rate limiting policies to ensure the reasonable use of API resources.
	Brute-force Attack Against Short Message Verification Code	Frequent attempts are performed to verify text message verification codes from IP addresses. A large number of verification codes are used, and brute-force attacks against text message verification codes may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily request frequency baseline to ensure the reasonable use of API resources.
	Brute-force Attack Against Email Verification Code	Frequent attempts are performed to verify email verification codes from IP addresses. A large number of verification codes are used, and brute-force attacks against email verification codes may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily request frequency baseline to ensure the reasonable use of API resources.
	Batch Registration	A large number of registration requests are sent from IP addresses. Bulk account registrations may occur, and numerous spam accounts may be generated.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily request frequency baseline to ensure the reasonable use of API resources.
API Abuse	Malicious Consumption of Short Message Resources	A large number of message-sending requests are sent from IP addresses. Suspected text message resource abuse or message flooding occurs. This may result in operational financial losses.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you impose limits on the frequency of text messages sent from a single mobile number and configure rate limiting policies based on the daily request frequency baseline to ensure the reasonable use of API resources.
	Malicious Consumption of Email Resources	A large number of email-sending requests are sent from IP addresses. Suspected email resource abuse or mail flooding occurs. This may compromise the stability of email services.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you impose limits on the frequency of emails sent from a single address and configure rate limiting policies based on the daily request frequency baseline to ensure the reasonable use of API resources.
	Batch download	A large number of data export or download requests are sent from IP addresses. A large amount of file data is exported or downloaded, and data leaks may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily request frequency baseline to ensure the reasonable use of API resources.
	Path traversal	When an API is frequently called from IP addresses, parameter traversal is detected and data crawling may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We recommend that you increase the randomness of parameters based on your business requirements. This helps prevent reliance on simple, predictable values, such as short numeric values, which can be easily compromised.
	API Attack	Web attacks are initiated from IP addresses. All attacks are blocked by protection modules.	We recommend that you analyze IP address behavior based on log details. You can configure an IP address blacklist to block malicious IP addresses.
Sensitive Data Leak	Unauthorized Access to Sensitive Data	When an API is called from IP addresses, the access is unauthorized. Sensitive data is retrieved. Risks of data leaks may arise.	We recommend that you troubleshoot issues based on log details and implement a strict and complete authentication mechanism for important APIs to prevent unauthorized or privilege-escalated exploitation of the API.
	Mass Sensitive Data Access	When an API is called from IP addresses, a large number of entries of sensitive data are retrieved. Risks of data leaks may arise.	We recommend that you troubleshoot issues based on log details, mask important sensitive data, and delete unnecessary data types. You can also configure rate limiting policies based on the daily request distribution baseline.
	Mass Sensitive Data Access by IP Addresses Outside China	An API is called from the IP addresses that originate from regions outside the Chinese mainland. A large number of entries of sensitive data are retrieved. Risks of data leaks and non-compliance with data regulations may arise.	We recommend that you troubleshoot issues based on log details. Cross-border transmission of sensitive data may pose compliance risks. If cross-border transmission of sensitive data is required, we recommend that you conduct an evaluation and promptly proceed with declarations or filings.
Response Exception	Return of Error Message	When an API is called from IP addresses, error messages may be returned and leaks of information such as application configurations may occur.	We recommend that you perform troubleshooting based on log details to check whether the API runs as expected. We also recommend that you optimize the exception handling mechanism to return specific content or redirect to specific pages when an exception occurs. This helps prevent leaks of application information caused by returned exception information.
	Return of Database Error Message	When an API is called from IP addresses, database error messages may be returned and leaks of information such as statements, database names, and table names may occur.	We recommend that you perform troubleshooting based on log details to check whether the API runs as expected. We also recommend that you optimize the exception handling mechanism to return specific content or redirect to specific pages when an exception occurs. This helps prevent leaks of database information caused by returned exception information.
	Return of Sensitive System Information	When an API is called from IP addresses, sensitive information about critical servers may be returned. Risks of data leaks may arise.	We recommend that you perform troubleshooting based on log details to check whether the returned data is as expected. This prevents such data from being directly returned to the frontend.
	Abnormal Response	When an API is called from IP addresses, the percentage of exceptional responses exceeds 80%. Origin servers may not run as expected.	We recommend that you perform troubleshooting based on log details to check whether the API runs as expected.
Custom Event	Custom Event Policy	When an API is called from IP addresses, the access activities match the custom event detection model.	The configurations that you specify for the policy is displayed.

How does the API security module help enterprises reduce the risk of data leaks?

The API security module detects API vulnerabilities, traces API exception events, and provides suggestions on how to handle vulnerabilities.

Risk type	Description
API vulnerabilities	Scenarios in which enterprises expose the internal APIs, such as APIs used for internal office work, development testing, and operations management, to the Internet. This exposure allows attackers to access and retrieve sensitive data by using the APIs.
API exception events	Unexpected behaviors that occur within APIs under predefined business requirements and access scenarios.

What are the standards for applications for the security assessments and filings of cross-border data transfer? (Supported only in the Chinese mainland)

The following table describes the application criteria based on the Measures for the Security Assessment of Outbound Data Transfer.

Evaluation type	Evaluation result
Since January 1 of last year, the cumulative number of natural persons whose personal information is transferred abroad is greater than 100,000.	Application for a security assessment is required.
Since January 1 of last year, the cumulative number of natural persons whose personal sensitive information is transferred abroad is greater than 10,000.
Since January 1 of last year, cross-border data transfer activities occurred, and the cumulative number of natural persons whose personal information is transferred provided abroad is greater than 1,000,000.
Since January 1 of last year, the cumulative number of natural persons whose personal information is transferred abroad is less than 100,000.	Declaration requirements are not met.
Since January 1 of last year, the cumulative number of natural persons whose personal sensitive information is transferred abroad is less than 10,000.
Since January 1 of last year, cross-border data transfer activities occurred, and the cumulative number of natural persons whose personal information is transferred abroad is less than 1,000,000.