What Sqreen detects and protects you from

Sqreen is based on security plugins, each has a clear responsibility and protection scope.


In-app protection

Unlike application security testing which only finds hypothetical vulnerabilities in code, or Web Application Firewalls (WAF) which only block attacks based on simple patterns — creating a lot of false positives — Sqreen uses the full application context to accurately block attacks in real-time.

Sqreen will block requests and not IPs or users.

Sqreen can detect attackers before they attack, by watching for patterns of activity indicative that someone is casing your web application for exploitable vulnerabilities. You can see this kind of activity in your dashboard, but we won't alert you (to keep from bothering you when it's not critical).

Out of the box Sqreen offers protection against vulnerabilities ranging from data (SQL injection) to cross-site scripting (XSS) through user (account take over) and application / network.

Here's an overview of the vulnerabilities covered by Sqreen:

  • SQL Injections (SQLi) - OWASP A1 - Detected & Blocked
  • NoSQL injections (NoSQLi) - OWASP A1 - Detected & Blocked
  • Command Injection - OWASP A1 - Detected & Blocked
  • Cross-Site Scripting (XSS) - OWASP A3 - Detected & Blocked
  • Usage of third-party libraries with known vulnerabilities - OWASP A9 - Detected
  • Shellshock attacks - OWASP A9 - Detected & Blocked
  • Web vulnerability scanners, bots, and crawlers - Detected & Blocked
  • Peaks of HTTP errors (40x/50x) related to security - Detected
  • Content Security Policy (CSP) violations - Detected & Blocked
  • Security Scans, Bots and crawlers - Detected & Blocked
  • Local File Inclusion - Detected & Blocked

The full list of plugins is here.

Sqreen will link those attacks to authenticated users to allow you to detect attackers or users at risk ASAP.

How Sqreen protects my users?

Your customers’ data is valuable. Protecting your customers means reacting quickly when criminals move to steal their accounts and perform fraud. Sqreen detects and notifies about attacks targeting your customers and unusual user behaviors.

Here are the attacks and suspicious behaviors that Sqreen will detect:

  • Account Takeovers - OWASP A2
  • Bruteforce Attacks - OWASP A2
  • DarkNet/TOR or VPNs connections
  • Suspicious geo-locations
  • IP & email reputation
  • Simultaneous geolocations
  • Peak of account creations
  • Account enumerations

The full list of user related plugins is here.

Getting the most of modern browsers protection

Sqreen can enable Security Headers in your application in just 1 click. You can enable/disable those headers anytime in your different apps. Visit the related security plugins in your Security Hub to manage those browser directives.

XSS Protection (X-XSS-Protection)

Cross-site scripting (XSS) is one of the most common and dangerous type attacks on the web, as it is often used to inject malicious code into your app to extract data about a logged in user, or take advantage of their user privileges to perform actions not available by default. Setting the X-XSS-Protection header allows modern browsers to block attackers from Reflected XSS attacks.

Click jacking protection (X-Frame-Options)

Setting an X-Frame-Options header in your application protects it from someone creating a wrapper around your site doing whatever they want and displaying your page in an iframe. This allows attackers to force your users to click on some part of your website, while hidden in an iframe (these are known as clickjacking attacks). You can either choose to completely block rendering your site inside a frame by setting this header to DENY, allow it to be rendered by other pages on the same server with SAMEORIGIN or, you can specify a list of whitelisted domains with ALLOW-FROM.

MIME sniffing Protection (Mime-Content-Type)

Some browsers guess the type of file being transferred by default. This allows the browser to render an HTML file if the content looks right even if the server says that the file is plaintext. This can be used as an attack vector for untrusted JavaScript code. Setting the X-Content-Type-Options header to nosniff forces browsers to respect the server specified file type.

Content Security Policy (CSP)

Content Security Policy takes a little bit of effort to implement. A Content Security Policy (CSP) header lists all authorized domains and resources your app is allowed to use. Thus if a user loads a page where an attacker has injected a malicious resource, the browser will load your page, but prevent the attacker’s resource from loading. One side effect of using this header is that if you add new assets to your application, you will need to update your Content Security Policy accordingly.

Sqreen helps you building a robust policy faster by recording the domains loading assets, pre-filtering the non legitimate ones and leave you the final decision to add the one you trust.

Visit the App Protection to manage to enable the monitoring mode and let Sqreen learn from your traffic. You can also read more about CSP in this post.

sqreen-csp-settings.jpg

Are attacks blocked?

Yes.

  • When the related security plugin is enabled and the application is in protection mode, vulnerabilities are prevented and attacks are blocked in real-time.
  • In monitoring-only mode, Sqreen will only monitor and report the vulnerabilities and attacks.

What happens when Sqreen blocks a vulnerability

When a vulnerability is detected, by default Sqreen returns an HTTP 403 response to malicious requests. You can customize this response on a per-app basis in your app security settings.