Skip to main content

OWASP threats

The WAF & OWASP Top 10 policy group contains a robust set of policies that protect your application against the most critical security risks standardized by the Open Web Application Security Project (OWASP).

Some policies in this policy group also block the response phase of a request to prevent data leakage. For example, the Personally identifiable information (PII) policy can block a response if personal or private information is detected. In such cases, the request will return a status code 200 OK, but the response will be blocked.

Configure OWASP Threats rules

You can review the OWASP Threats rules and enable or disable them in the CDB Technical Web Portal:

  1. Navigate to WAAP > Default Rules.

  2. In the domain dropdown at the top of the page, select the needed domain.

  3. Click the OWASP Threats tab to view and adjust the rules.

The following table features the full list of policies that you can configure as part of the WAF & OWASP top threats policy group. These policies correspond to the most common types of threats.

PolicyDescription
SQL injectionIn this form of attack, hackers use malicious SQL code to manipulate the backend of a database and access sensitive information such as company data, user lists, or private customer details.

Enable the policy to detect and block any attempts to alter database queries.
Cross-site scripting (XSS)XSS attacks happen when an attacker uses a web application to send malicious code to a different user.

Enable the policy to detect and prevent XSS attacks by analyzing incoming requests for malicious script injections and blocking the execution of such scripts.
Shellshock exploitThis is a Bash shell vulnerability that can be exploited by attackers to execute arbitrary code and potentially harmful commands.

By enabling the policy, you protect your application against malicious attempts to inject unauthorized commands into Bash environments.
Remote file inclusion (RFI)This attack exploits vulnerabilities in web applications that dynamically reference external scripts.

Enable the policy to protect against unauthorized inclusion of remote files.
Apache Struts exploitApache Struts v1 contains a vulnerability that allows malicious users to exploit the Object-Graph Navigation Language (OGNL).

Enable the policy to safeguard your web application against malicious exploits that target vulnerabilities in the Apache framework.
Local file inclusion (LFI)Some attackers can exploit vulnerable inclusion procedures in a web application by injecting files that already exist on a server.

Enable the policy to defend against the unauthorized inclusion of local files.
Common web application vulnerabilitiesEnable the policy to protect your application against a range of prevalent web vulnerabilities.
Web shell execution preventionMalicious scripts are often used to escalate and maintain persistent access to compromised web applications. This is a common post-exploitation attack.

Enable the policy to block any attempts to execute web shell scripts and to gain unauthorized access to your application.
Protocol attackThese types of attacks are designed to eat up the processing capacity of a network infrastructure resource like a server, firewall, or load balancer.

Enable the policy to block any attempts to inject and manipulate headers or query parameters through sanitation of insufficient user input.
Cross-site request forgery (CSRF)CSRF is an attack that exploits a vulnerability in a web application. This happens if the application can't differentiate between a request generated by an individual user and a request initiated without their consent.

Enable the policy to prevent such attacks and ensure the integrity of user interactions with your application.
Open redirectThis vulnerability occurs when attackers exploit unfiltered or unvalidated redirect destinations provided by a client.

Enable the policy to defend against unauthorized and potentially malicious URL redirects.
Shell injectionThis vulnerability allows an attacker to execute arbitrary operating system commands on the server running an application.

Enable the policy to block malicious attempts to inject unauthorized commands into web application shells.
Code injectionThis attack involves injecting malicious code that is interpreted or executed by the application. This is usually possible due to a lack of proper input and output validation.

Enable the policy to prevent any attempts to inject unauthorized code or commands into web applications.
Sensitive data exposureThese attacks target sensitive data, aiming to expose critical information about the company, its customers, or its users.

Enable the policy to protect against the accidental exposure of application-related data.
XML External Entity (XXE)This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

Enable the policy to ensure the security and integrity of your XML-based data.
Personally identifiable informationWhen personally identifiable information (PII) isn't properly protected, it can cause a security vulnerability and lead to data leakage.

Enable the policy to prevent accidental exposure of personal data by searching for private information in the web application responses.
Server-side template injectionSome attackers can use native template syntax to inject a malicious payload into a template and then execute it on the server.

Enable the policy to block attempts to inject unauthorized code into your web application templates.
LLM AttackAttackers exploit Large Language Model integrations to perform prompt injection (OWASP LLM01) and supply chain attacks (OWASP LLM05).

Enable the policy to block requests that match known LLM-targeted attack patterns.

The WAAP API exposes two endpoints for the WAF & OWASP Threats group: list all rule states, and toggle individual policies on or off. Response examples include only the fields used in each step.

An API token is required, along with the ID of a WAAP-protected domain and the Python or Go SDK installed for SDK examples.

Set these environment variables before running the examples:

export GCORE_API_KEY="{YOUR_API_KEY}"
export WAAP_DOMAIN_ID="{YOUR_DOMAIN_ID}"

View policy states

Returns the current enabled or disabled state of every OWASP Threats rule for the domain.

import gcore
import os

client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])

rule_sets = client.waap.domains.list_rule_sets(domain_id)
owasp_set = next(
    rs for rs in rule_sets if rs.resource_slug == "core-waf-owasp-top-threats"
)
for rule in owasp_set.rules:
    status = "enabled" if rule.mode else "disabled"
    print(f"{rule.id}: {rule.name} - {status}")
package main

import (
	"context"
	"fmt"
	"os"
	"strconv"

	gcore "github.com/G-Core/gcore-go"
	"github.com/G-Core/gcore-go/option"
)

func main() {
	client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
	domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

	ruleSets, err := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
	if err != nil {
		fmt.Println(err)
		return
	}
	for _, rs := range *ruleSets {
		if rs.ResourceSlug == "core-waf-owasp-top-threats" {
			for _, rule := range rs.Rules {
				status := "disabled"
				if rule.Mode {
					status = "enabled"
				}
				fmt.Printf("%s: %s - %s\n", rule.ID, rule.Name, status)
			}
		}
	}
}
curl -X GET "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/$WAAP_DOMAIN_ID/rule-sets" \
  -H "Authorization: APIKey $GCORE_API_KEY"

Response:

[
  {
    "id": 2,
    "name": "WAF and OWASP top threats",
    "resource_slug": "core-waf-owasp-top-threats",
    "rules": [
      {
        "id": "S3008871",
        "name": "SQL injection",
        "action": "Block",
        "mode": true
      },
      // ...
    ]
  }
]

The response contains all rule sets for the domain. Filter by resource_slug value core-waf-owasp-top-threats to find the OWASP group. Each rule has a mode field — true means enabled, false means disabled.

Toggle a policy

Flips the state of one policy — enabled becomes disabled, disabled becomes enabled. No request body is required.

ParameterRequiredDescription
policy_idYesID of the policy to toggle, obtained from the View policy states response.
domain_idYesID of the WAAP-protected domain.
import gcore
import os

client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])

# Find the policy ID by name
rule_sets = client.waap.domains.list_rule_sets(domain_id)
owasp_set = next(
    rs for rs in rule_sets if rs.resource_slug == "core-waf-owasp-top-threats"
)
policy = next(r for r in owasp_set.rules if r.name == "Open redirect")

result = client.waap.domains.policies.toggle(policy.id, domain_id=domain_id)
status = "enabled" if result.mode else "disabled"
print(f"Policy is now {status}")
package main

import (
	"context"
	"fmt"
	"os"
	"strconv"

	gcore "github.com/G-Core/gcore-go"
	"github.com/G-Core/gcore-go/option"
	"github.com/G-Core/gcore-go/waap"
)

func main() {
	client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
	domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

	// Find the policy ID by name
	ruleSets, err := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
	if err != nil {
		fmt.Println(err)
		return
	}
	var policyID string
	for _, rs := range *ruleSets {
		if rs.ResourceSlug == "core-waf-owasp-top-threats" {
			for _, rule := range rs.Rules {
				if rule.Name == "Open redirect" {
					policyID = rule.ID
				}
			}
		}
	}

	result, err := client.Waap.Domains.Policies.Toggle(
		context.Background(),
		policyID,
		waap.DomainPolicyToggleParams{DomainID: domainID},
	)
	if err != nil {
		fmt.Println(err)
		return
	}
	status := "disabled"
	if result.Mode {
		status = "enabled"
	}
	fmt.Printf("Policy is now %s\n", status)
}
# Set POLICY_ID to the ID from the View policy states response
curl -X PATCH "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/$WAAP_DOMAIN_ID/policies/$POLICY_ID/toggle" \
  -H "Authorization: APIKey $GCORE_API_KEY"

Response:

{"mode": true}

The API returns the updated policy state. Call the endpoint again to flip the policy back.

Policy reference