dotDefender_Protecting_commercial_websites

Home » Products » Security Technology » Pattern Recognition

Pattern Recognition

The Pattern Recognition web application security engine effectively protects against malicious behavior such as SQL Injection and Cross Site Scripting. The patterns are regular expression based and designed to efficiently and accurately identify a wide array of application-level attack methods. As a consequence, dotDefender is characterized by an extremely low false positive rate. 

Whitelists for easy customization

Complete whitelist functionality facilitates customization of the Pattern Recognition rules according to each organization's specific security policy. A whitelist allows you to define specific users, pages, or actions that will always be permitted by dotDefender.  Users can configure, for example, rules to block access to server applications or, conversely, allow absolute access so they are not checked. dotDefender can also define certain application web pages or directories not to be checked at all. Whitelist rules are performed before all other dotDefender protection rules and signatures.
 

Predefined rules for paranoid security

This engine supports paranoid security via a predefined collection of rules which delivers a high level of security, but may sometimes interfere with Web application usability. You can use this category to tighten security for sensitive applications or functionality (e.g., login, credit cards and personal details).
 

Predefined rules designed to identify attack methods

The Pattern Recognition security engine identifies patterns that enable prevention of the following types of application-level attacks:
 

  • Encoding

    Encoding is a method of representing characters in different ways for use in computer systems. ASCII (American Standard Code for Information Interchange) and UTF (Unicode Transformation Format) are examples where the same text is encoded in various ways, so that a web server can interpret it. An Encoding attack uses obfuscation to "hide" suspect packets from security tools by using, for example, UTF or HEX (HEXadecimal) encoding. This results in a disguised injection of malicious phrases in URLs, parameters or metadata.

     
 

  • Buffer Overflow

    When an application sends more data to a buffer than the buffer is designed to hold, the overflow can cause a system crash or create a vulnerability that enables unauthorized system access.

  

  • SQL Injection

    SQL (Structured Query Language) provides an interface to facilitate access to and interaction with a database. A database usually stores data in tables and procedures.
    An SQL injection is an attack method that aims at penetrating a back-end database to manipulate, steal or modify information in the database. This attack method exploits the web application by injecting malicious queries, causing the manipulation of data.
 

  • Cross-Site Scripting

    Scripting is a programming technique that comprises a set of instructions executed by another program (such as a browser). Scripting is used to create dynamic pages in Web applications. Cross-site scripting is a client-side attack method that occurs when an attacker uses a web-based application to send malicious code to another user of the same application. This attack is most common in dynamically-generated application pages, where embedded application forms are built. This attack is automatically executed when the client’s browser opens an HTML web page.
    As a result of Cross-site scripting, a user’s browser mistakenly identifies the script to have originated from a trusted source, allowing the maliciously injected code to access cookies, session tokens, or any other sensitive information.
 
There are two types of cross-site scripting:
 
  •  Stored attacks - these occur when the injected malicious code is stored on a target server such as a bulletin board, a visitor log, or a comment field. The victim retrieves and executes the malicious code from the server, when interacting with the target server.

 Reflected attacks - these occur when the user is tricked into clicking a malicious link, or submitting a manipulated form (crafted by the attacker). The injected code travels to the vulnerable web server which directs the cross-site attack back to the user’s browser. The browser then executes the malicious code, assuming it comes from a trusted server.
 

Learn more how  Cross-Site Scripting causes a data breach

 

 

  • Path Traversal

    A URL is a web address translated into a path on the Web server. A URL leads to specific directories and files residing on the web server.
    Path traversal is an attack mechanism that changes the original path to a path desired by an attacker, in order to gain access to internal libraries and folders.
    Path traversal gains access to an organization’s server files and directories that are otherwise inaccessible to external users.
    Path Traversing is implemented with common OS operations, such as using the characters “/../../../..” for traversing between server directories and files..
 

  • Probing

    Probing is an attack aiming to collect information about a Web server and applications, based on common practices and educated guesses. Attackers send probes looking for common weaknesses, and third party software that has known vulnerabilities. This information can be used to breach the server.
 

  • Remote Command Execution

    Once a Web server has been breached, an attacker can attempt to execute OS commands or programs installed on that server. This type of attack often follows SQL Injection, Path Traversal or other attacks. In this mode of attack, an attacker executes commands through the Web application. The commands will be executed under the privileges of the Web application, which allow access to the database, OS commands, and more.
 

  • Cookie Manipulation

    Cookies are commonly used to store user identification and privileges information. Cookie Manipulation refers to a range of attack methods that aim to deceive the Web server into sending cookies that the attacker is unauthorized to receive. Using the cookies, an attacker can obtain unauthorized access to the Web server. CRLF Injection (Carriage Return/Line Feed) is an example of Cookie Manipulation.
 

  • Windows Directories and Files

     Windows directories and files are default components created during the installation of IIS and related applications, such as FrontPage, IIS sample page, and more. These default components contain known weaknesses, which an attacker may use to breach the server.
 

  • XML Schema

     XML Schema is a document that describes, in a formal way, the syntax elements and parameters of a web language. It is used in web services and XML based applications. Since the XML Schema describes all of the available service functions, hackers may use this information to discover vulnerabilities in the application.
 

  • XPath Injection

     XPath is a language used to access parts of an XML document. Hackers may insert malicious code into XML parameters to gain access to the web server, or retrieve information from the database.
     All protection methods are similar to those for SQL Injection..
 

  • XPath Cross-Site Scripting

     XPath is a language used to access parts of an XML document. Hackers may insert malicious code into XML parameters to execute cross-site scripting attacks.
     Cross-site scripting is a client-side attack method that occurs when an attacker uses a web-based application to send malicious code to another user of the same application. This attack is most common in dynamically-generated application pages, such as forums. This attack is automatically executed when the client’s browser opens the HTML web page where the script is embedded.
     All protection methods are similar to those for cross-site scripting.