> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gcore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OWASP threats

export const MethodSection = ({children}) => children ?? null;

export const MethodSwitch = ({children}) => {
  const tabs = React.Children.toArray(children).map(c => {
    if (!c || !c.props) return null;
    if (c.props.id) return c;
    const inner = c.props.children;
    if (inner && inner.props && inner.props.id) return inner;
    return null;
  }).filter(Boolean);
  const firstId = tabs.length > 0 ? tabs[0].props.id : "";
  const [active, setActive] = React.useState(firstId);
  React.useEffect(() => {
    try {
      const saved = localStorage.getItem("gcore_docs_method");
      if (saved && tabs.find(t => t.props.id === saved)) {
        setActive(saved);
      }
    } catch (_) {}
  }, []);
  React.useEffect(() => {
    try {
      document.querySelectorAll("h2[id], h3[id]").forEach(heading => {
        const visible = heading.offsetParent !== null;
        document.querySelectorAll(`a[href="#${heading.id}"]`).forEach(link => {
          if (link.closest("h1,h2,h3,h4,h5,h6")) return;
          const li = link.closest("li");
          if (li) li.style.display = visible ? "" : "none";
        });
      });
    } catch (_) {}
    window.dispatchEvent(new Event("scroll"));
  }, [active]);
  const handleClick = id => {
    setActive(id);
    try {
      localStorage.setItem("gcore_docs_method", id);
    } catch (_) {}
  };
  return <div>
      <div className="not-prose flex gap-0 border-b border-zinc-200 dark:border-zinc-800 mb-8 mt-2" role="tablist">
        {tabs.map(tab => {
    const isActive = active === tab.props.id;
    return <button key={tab.props.id} role="tab" aria-selected={isActive} onClick={() => handleClick(tab.props.id)} className={["px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors cursor-pointer", isActive ? "border-primary text-primary" : "border-transparent text-zinc-500 hover:text-zinc-800 dark:hover:text-zinc-200"].join(" ")}>
              {tab.props.label}
            </button>;
  })}
      </div>

      {tabs.map(tab => <div key={tab.props.id} style={{
    display: active === tab.props.id ? "" : "none"
  }}>
          {tab.props.children}
        </div>)}
    </div>;
};

<MethodSwitch>
  <MethodSection id="portal" label="Customer Portal">
    <p>The WAF & OWASP Top 10 policy group contains a robust set of policies that protect your application against the most critical security risks standardized by the [Open Web Application Security Project (OWASP)](https://owasp.org/).</p>

    <p>Some policies in this policy group also block the response phase of a request to prevent data leakage. For example, the Personally identifiable information (PII) policy can block a response if personal or private information is detected. In such cases, the request will return a status code **200 OK**, but the response will be blocked.</p>

    ## Configure OWASP Threats rules

    <p>You can review the OWASP Threats rules and enable or disable them in the [Gcore Customer Portal](https://portal.gcore.com/accounts/reports/dashboard):</p>

    1. Navigate to **WAAP** > **Default Rules**.

    2. In the domain dropdown at the top of the page, select the needed domain.

    3. Click the **OWASP Threats** tab to view and adjust the rules.

    <p>The following table features the full list of policies that you can configure as part of the WAF & OWASP top threats policy group. These policies correspond to the most common types of threats.</p>

    | Policy                                     | Description                                                                                                                                                                                                                                                                                                                                             |
    | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
    | **SQL injection**                          | In this form of attack, hackers use malicious SQL code to manipulate the backend of a database and access sensitive information such as company data, user lists, or private customer details. <br /> <br /> Enable the policy to detect and block any attempts to alter database queries.                                                              |
    | **Cross-site scripting (XSS)**             | XSS attacks happen when an attacker uses a web application to send malicious code to a different user. <br /> <br /> Enable the policy to detect and prevent XSS attacks by analyzing incoming requests for malicious script injections and blocking the execution of such scripts.                                                                     |
    | **Shellshock exploit**                     | This is a Bash shell vulnerability that can be exploited by attackers to execute arbitrary code and potentially harmful commands. <br /> <br /> By enabling the policy, you protect your application against malicious attempts to inject unauthorized commands into Bash environments.                                                                 |
    | **Remote file inclusion (RFI)**            | This attack exploits vulnerabilities in web applications that dynamically reference external scripts. <br /> <br /> Enable the policy to protect against unauthorized inclusion of remote files.                                                                                                                                                        |
    | **Apache Struts exploit**                  | Apache Struts v1 contains a vulnerability that allows malicious users to exploit the Object-Graph Navigation Language (OGNL). <br /> <br /> Enable the policy to safeguard your web application against malicious exploits that target vulnerabilities in the Apache framework.                                                                         |
    | **Local file inclusion (LFI)**             | Some attackers can exploit vulnerable inclusion procedures in a web application by injecting files that already exist on a server. <br /> <br /> Enable the policy to defend against the unauthorized inclusion of local files.                                                                                                                         |
    | **Common web application vulnerabilities** | Enable the policy to protect your application against a range of prevalent web vulnerabilities.                                                                                                                                                                                                                                                         |
    | **Web shell execution prevention**         | Malicious scripts are often used to escalate and maintain persistent access to compromised web applications. This is a common post-exploitation attack. <br /> <br /> Enable the policy to block any attempts to execute web shell scripts and to gain unauthorized access to your application.                                                         |
    | **Protocol attack**                        | These types of attacks are designed to eat up the processing capacity of a network infrastructure resource like a server, firewall, or load balancer. <br /> <br /> Enable the policy to block any attempts to inject and manipulate headers or query parameters through sanitation of insufficient user input.                                         |
    | **Cross-site request forgery (CSRF)**      | CSRF is an attack that exploits a vulnerability in a web application. This happens if the application can't differentiate between a request generated by an individual user and a request initiated without their consent. <br /> <br /> Enable the policy to prevent such attacks and ensure the integrity of user interactions with your application. |
    | **Open redirect**                          | This vulnerability occurs when attackers exploit unfiltered or unvalidated redirect destinations provided by a client. <br /> <br /> Enable the policy to defend against unauthorized and potentially malicious URL redirects.                                                                                                                          |
    | **Shell injection**                        | This vulnerability allows an attacker to execute arbitrary operating system commands on the server running an application. <br /> <br /> Enable the policy to block malicious attempts to inject unauthorized commands into web application shells.                                                                                                     |
    | **Code injection**                         | This attack involves injecting malicious code that is interpreted or executed by the application. This is usually possible due to a lack of proper input and output validation. <br /> <br /> Enable the policy to prevent any attempts to inject unauthorized code or commands into web applications.                                                  |
    | **Sensitive data exposure**                | These attacks target sensitive data, aiming to expose critical information about the company, its customers, or its users. <br /> <br /> Enable the policy to protect against the accidental exposure of application-related data.                                                                                                                      |
    | **XML External Entity (XXE)**              | This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. <br /> <br /> Enable the policy to ensure the security and integrity of your XML-based data.                                                                                                                             |
    | **Personally identifiable information**    | When personally identifiable information (PII) isn't properly protected, it can cause a security vulnerability and lead to data leakage. <br /> <br /> Enable the policy to prevent accidental exposure of personal data by searching for private information in the web application responses.                                                         |
    | **Server-side template injection**         | Some attackers can use native template syntax to inject a malicious payload into a template and then execute it on the server. <br /> <br /> Enable the policy to block attempts to inject unauthorized code into your web application templates.                                                                                                       |
    | **LLM Attack**                             | Attackers exploit Large Language Model integrations to perform prompt injection (OWASP LLM01) and supply chain attacks (OWASP LLM05). <br /> <br /> Enable the policy to block requests that match known LLM-targeted attack patterns.                                                                                                                  |
  </MethodSection>

  <MethodSection id="api" label="REST API">
    <p>The [WAAP API](/api-reference/waap#policies) exposes two endpoints for the WAF & OWASP Threats group: list all rule states, and toggle individual policies on or off. Response examples include only the fields used in each step.</p>

    <Info>
      An [API token](/account-settings/api-tokens) is required, along with the ID of a [WAAP-protected domain](/waap/getting-started/configure-waap-for-a-domain) and the [Python](/developer-tools/sdks/python) or [Go](/developer-tools/sdks/go) SDK installed for SDK examples.
    </Info>

    <p>Set these environment variables before running the examples:</p>

    ```bash theme={null}
    export GCORE_API_KEY="{YOUR_API_KEY}"
    export WAAP_DOMAIN_ID="{YOUR_DOMAIN_ID}"
    ```

    ## View policy states

    <p>Returns the current enabled or disabled state of every OWASP Threats rule for the domain.</p>

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        import gcore
        import os

        client = gcore.Gcore(api_key=os.environ["GCORE_API_KEY"])
        domain_id = int(os.environ["WAAP_DOMAIN_ID"])

        rule_sets = client.waap.domains.list_rule_sets(domain_id)
        owasp_set = next(
            rs for rs in rule_sets if rs.resource_slug == "core-waf-owasp-top-threats"
        )
        for rule in owasp_set.rules:
            status = "enabled" if rule.mode else "disabled"
            print(f"{rule.id}: {rule.name} - {status}")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        package main

        import (
        	"context"
        	"fmt"
        	"os"
        	"strconv"

        	gcore "github.com/G-Core/gcore-go"
        	"github.com/G-Core/gcore-go/option"
        )

        func main() {
        	client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
        	domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

        	ruleSets, err := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
        	if err != nil {
        		fmt.Println(err)
        		return
        	}
        	for _, rs := range *ruleSets {
        		if rs.ResourceSlug == "core-waf-owasp-top-threats" {
        			for _, rule := range rs.Rules {
        				status := "disabled"
        				if rule.Mode {
        					status = "enabled"
        				}
        				fmt.Printf("%s: %s - %s\n", rule.ID, rule.Name, status)
        			}
        		}
        	}
        }
        ```
      </Tab>

      <Tab title="curl">
        ```bash theme={null}
        curl -X GET "https://api.gcore.com/waap/v1/domains/$WAAP_DOMAIN_ID/rule-sets" \
          -H "Authorization: APIKey $GCORE_API_KEY"
        ```

        Response:

        ```json theme={null}
        [
          {
            "id": 2,
            "name": "WAF and OWASP top threats",
            "resource_slug": "core-waf-owasp-top-threats",
            "rules": [
              {
                "id": "S3008871",
                "name": "SQL injection",
                "action": "Block",
                "mode": true
              },
              // ...
            ]
          }
        ]
        ```
      </Tab>
    </Tabs>

    <p>The response contains all rule sets for the domain. Filter by `resource_slug` value `core-waf-owasp-top-threats` to find the OWASP group. Each rule has a `mode` field — `true` means enabled, `false` means disabled.</p>

    ## Toggle a policy

    <p>Flips the state of one policy — enabled becomes disabled, disabled becomes enabled. No request body is required.</p>

    | Parameter   | Required | Description                                                                                       |
    | ----------- | -------- | ------------------------------------------------------------------------------------------------- |
    | `policy_id` | Yes      | ID of the policy to toggle, obtained from the [View policy states](#view-policy-states) response. |
    | `domain_id` | Yes      | ID of the WAAP-protected domain.                                                                  |

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        import gcore
        import os

        client = gcore.Gcore(api_key=os.environ["GCORE_API_KEY"])
        domain_id = int(os.environ["WAAP_DOMAIN_ID"])

        # Find the policy ID by name
        rule_sets = client.waap.domains.list_rule_sets(domain_id)
        owasp_set = next(
            rs for rs in rule_sets if rs.resource_slug == "core-waf-owasp-top-threats"
        )
        policy = next(r for r in owasp_set.rules if r.name == "Open redirect")

        result = client.waap.domains.policies.toggle(policy.id, domain_id=domain_id)
        status = "enabled" if result.mode else "disabled"
        print(f"Policy is now {status}")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        package main

        import (
        	"context"
        	"fmt"
        	"os"
        	"strconv"

        	gcore "github.com/G-Core/gcore-go"
        	"github.com/G-Core/gcore-go/option"
        	"github.com/G-Core/gcore-go/waap"
        )

        func main() {
        	client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
        	domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

        	// Find the policy ID by name
        	ruleSets, err := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
        	if err != nil {
        		fmt.Println(err)
        		return
        	}
        	var policyID string
        	for _, rs := range *ruleSets {
        		if rs.ResourceSlug == "core-waf-owasp-top-threats" {
        			for _, rule := range rs.Rules {
        				if rule.Name == "Open redirect" {
        					policyID = rule.ID
        				}
        			}
        		}
        	}

        	result, err := client.Waap.Domains.Policies.Toggle(
        		context.Background(),
        		policyID,
        		waap.DomainPolicyToggleParams{DomainID: domainID},
        	)
        	if err != nil {
        		fmt.Println(err)
        		return
        	}
        	status := "disabled"
        	if result.Mode {
        		status = "enabled"
        	}
        	fmt.Printf("Policy is now %s\n", status)
        }
        ```
      </Tab>

      <Tab title="curl">
        ```bash theme={null}
        # Set POLICY_ID to the ID from the View policy states response
        curl -X PATCH "https://api.gcore.com/waap/v1/domains/$WAAP_DOMAIN_ID/policies/$POLICY_ID/toggle" \
          -H "Authorization: APIKey $GCORE_API_KEY"
        ```

        Response:

        ```json theme={null}
        {"mode": true}
        ```
      </Tab>
    </Tabs>

    <p>The API returns the updated policy state. Call the endpoint again to flip the policy back.</p>

    ## Policy reference

    <Accordion title="All OWASP Threats policies">
      The table lists all 18 policies in the WAF & OWASP Threats group with their default states. Policy IDs are domain-specific — use the [View policy states](#view-policy-states) endpoint to retrieve the IDs for a domain.

      | Policy                                 | Purpose                                                                       | Default state |
      | -------------------------------------- | ----------------------------------------------------------------------------- | ------------- |
      | SQL injection                          | Blocks malicious SQL code used to manipulate database queries                 | Enabled       |
      | Cross-site scripting (XSS)             | Blocks malicious script injections targeting other users                      | Enabled       |
      | Shellshock exploit                     | Blocks unauthorized command injection into Bash environments                  | Enabled       |
      | Remote file inclusion (RFI)            | Blocks unauthorized inclusion of remote script files                          | Enabled       |
      | Apache Struts exploit                  | Blocks OGNL exploits targeting Apache Struts v1 vulnerabilities               | Enabled       |
      | Local file inclusion (LFI)             | Blocks unauthorized inclusion of files already on the server                  | Enabled       |
      | Common web application vulnerabilities | Blocks a broad range of prevalent web exploits                                | Enabled       |
      | Web shell execution prevention         | Blocks web shell scripts used to maintain persistent unauthorized access      | Enabled       |
      | Protocol attack                        | Blocks header and query parameter injection via insufficient input sanitation | Enabled       |
      | Cross-site request forgery (CSRF)      | Blocks requests initiated without user consent by exploiting active sessions  | Enabled       |
      | Open redirect                          | Blocks unvalidated URL redirects to malicious destinations                    | Disabled      |
      | Shell injection                        | Blocks arbitrary OS command injection via web application shells              | Enabled       |
      | Code injection                         | Blocks malicious code injected and executed by the application                | Enabled       |
      | Sensitive data exposure                | Blocks accidental exposure of application-related data                        | Enabled       |
      | XML External Entity (XXE)              | Blocks malicious XML input targeting weakly configured parsers                | Enabled       |
      | Personally identifiable information    | Blocks responses containing private personal data                             | Disabled      |
      | Server-side template injection         | Blocks malicious payload injection into server-side templates                 | Enabled       |
      | LLM Attack                             | Blocks attacks targeting Large Language Model integrations                    | Disabled      |
    </Accordion>
  </MethodSection>
</MethodSwitch>
