Overview
StackPath provides a robust core rule set to protect your site from malicious attacks. In addition, StackPath follows the Open Web Application Security Project's (OWASP) list of recommended critical web-application security risks. OWASP is a foundation dedicated to improving software security, and regularly publishes updated reports on the most current and critical security risks.
Below is a list of the core WAF and OWASP top threats and their definitions.
| Name | Description |
| SQL Injection | This common attack vector uses malicious SQL code to manipulate the backend of a database to access information that was not intended to be displayed. This could include sensitive company data, users lists or private customer details. |
| XSS Attack | Cross-Site Scripting (XSS) attacks are a type of injection in which an attacker uses a web application to send malicious code to a different end-user. |
| Shellshock attack | This arbitrary code execution vulnerability offers a way for users of a particular system to execute commands that should not be available to them. |
| Remote File Inclusion | Remote File Inclusion is an attack vector that targets vulnerabilities in web applications that dynamically reference external scripts. |
| Apache Struts Exploit | In Apache struts v1, a vulnerability was discovered that allowed malicious users the ability to exploit the Object-Graph Navigation Language. |
| Local File Inclusion | The exploitation of vulnerable inclusion procedures implemented in the application. This vulnerability injects files that are already locally present on the server. |
| Common Web Application Vulnerabilities | Requests that could attempt to access common backdoors. |
| Web Shell Execution Attempt | A malicious script used with the purpose of escalating and maintaining persistent access on an already compromised web application. This is most commonly a post-exploitation attack. |
| Protocol Attack | These types of attacks are designed to eat up the processing capacity of a network infrastructure resource like a server, firewall or load balancer. |
| CSRF | Cross-Site Request Forgery (CSRF) is an attack that exploits a vulnerability in a web application if it cannot differentiate between a request generated by an individual user and one made by a user without their consent. |
| Open Redirect | An open redirect vulnerability exists when a redirect destination is provided by the client and it is not filtered or validated. |
| Shell Injection | A vulnerability that allows an attacker to execute arbitrary operating system commands on the server that is running an application. |
| Code Injection | Attack types which consist of injecting code that is then interpreted/executed by the application. These types of attacks are usually made possible due to a lack of proper input/output validation. |
| Sensitive Data Exposure | Attacks that specifically target sensitive data in order to expose critical information about the company, its customers, or its users. |
| XML External Entity | This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. |
| Personal Identifiable Information | Vulnerabilities that do not properly protect personally identifiable information (PII). |
| Server-Side Template Injection | When an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side |
All of these rules with the exception of Open Redirect and Personal Identifiable Information are enabled by default in order to provide for the best user experience. To enable or disable a protection vector, simply click on the toggle switch to turn it off or on.