--- title: Exploit Prevention description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > App and API Protection > Exploit Prevention --- # Exploit Prevention {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} {% callout %} ##### Get real-time security guardrails for your AI apps and agents AI Guard helps secure your AI apps and agents in real time against prompt injection, jailbreaking, tool misuse, and sensitive data exfiltration attacks. Try it today! [JOIN THE PREVIEW](https://www.datadoghq.com/product-preview/ai-security/) {% /callout %} ## Overview{% #overview %} Use App and API Protection's **Exploit Prevention** to protect your critical applications and APIs against zero-day vulnerabilities without tuning or reconfiguration. With App and API Protection's context-aware capabilities, you can gain a deep understanding of application logic, data flow, and state. Combine telemetry from the Datadog tracer with predefined heuristics to detect and block exploits with higher accuracy, ensuring legitimate traffic remains unaffected. This is powered by Runtime Application Self Protection (RASP), which allows you to detect and prevent attacks in real time. For details on how Exploit Prevention differs from In-App WAF, see [Exploit Prevention vs. In-App WAF](https://docs.datadoghq.com/security/application_security/#exploit-prevention-vs-in-app-waf). ## How exploit prevention works{% #how-exploit-prevention-works %} 1. With the Datadog App and API Protection tracing library instrumented in your applications, details are captured about every interaction within the application, including requests, code execution, and data flows. 1. When an attack payload reaches the application, App and API Protection evaluates if the payload triggers code paths tied to known vulnerabilities. 1. If a potential exploit is detected: 1. App and API Protection blocks the request in real-time before it causes damage. 1. App and API Protection raises security signals for further investigation. 1. Exploit prevention detections are accompanied by stack traces that provide full visibility of the code location of the vulnerability, providing a clear path to remediation. ### Example 1: Server-side request forgery{% #example-1-server-side-request-forgery %} An attacker tricks the server into making unauthorized requests to internal systems or external servers, potentially leaking information or enabling further exploitation. App and API Protection Exploit Prevention checks whether an internal or external request's URL, which is partially or totally controlled by a user parameter, has been manipulated by an attacker to alter the original purpose of the request. ### Example 2: Local file inclusion{% #example-2-local-file-inclusion %} An attacker exploits a vulnerable parameter to include local files from the server, potentially exposing sensitive data like configuration files or possibly enabling remote code execution. App and API Protection Exploit Prevention inspects all file access attempts to determine if the path has been injected and whether a restricted file is accessed. ### Example 3: SQL injection{% #example-3-sql-injection %} An attacker injects malicious SQL code into a query, potentially gaining unauthorized access to the database, manipulating data, or executing administrative operations. App and API Protection Exploit Prevention intercepts all SQL queries to determine if a user parameter has been injected and whether the injection alters the original purpose and structure of the SQL query. ## Prerequisites{% #prerequisites %} - Ensure that your applications are instrumented with the Datadog tracer. - App and API Protection must be enabled. See [Setup](https://docs.datadoghq.com/security/application_security/setup). - Ensure Remote Configuration is enabled to push rule updates and In-App WAF policies. See [Enabling Remote Configuration](https://docs.datadoghq.com/tracing/guide/remote_config). ### Library Compatibility{% #library-compatibility %} | Exploit Type | [.NET](https://github.com/DataDog/dd-trace-dotnet) | [Python](https://github.com/DataDog/dd-trace-py) | [Go](https://github.com/DataDog/dd-trace-go) | [Java](https://github.com/DataDog/dd-trace-java) | [Node.js](https://github.com/DataDog/dd-trace-js) | [PHP](https://github.com/DataDog/dd-trace-php) | [Ruby](https://github.com/DataDog/dd-trace-rb) | | ---------------------------------- | -------------------------------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ------------------------------------------------- | ---------------------------------------------- | ---------------------------------------------- | | Server-side Request Forgery (SSRF) | v3.3.0 | v2.15.0 | v1.70.1 | v1.42.0 | v5.20.0, v4.44.0 | v1.9.0 | v2.15.0 | | Local File Inclusion (LFI) | v3.5.0 | v2.15.0 | [orchestrion](https://docs.datadoghq.com/tracing/trace_collection/automatic_instrumentation/dd_libraries/go/#overview) v1.0.0 | v1.42.0 | v5.24.0, v4.48.0 | v1.9.0 | Not supported | | SQL Injection (SQLi) | v3.4.0 | v2.16.0 | v1.70.1 | v1.42.0 | v5.25.0, v4.49.0 | v1.9.0 | v2.15.0 | | Command Injection | v3.4.0 | v2.15.0 | Not supported | v1.45.0 | v5.25.0, v4.49.0 | Not supported | Not supported | ## Enabling Exploit Prevention{% #enabling-exploit-prevention %} 1. Navigate to [In-App WAF](https://app.datadoghq.com/security/appsec/in-app-waf). 1. If you have applied a Datadog managed policy to your services, then follow these steps: 1. Clone the policy. For example, you can use the **Managed - Block attack tools** policy. 1. Add a policy name and description. 1. Click on the policy you created and select the **Local File Inclusion** ruleset. Enable blocking for the **Local File Inclusion exploit** rule. 1. Similarly, select the **Server-side Request Forgery** ruleset and enable blocking for the **Server-side request forgery** exploit rule. 1. If you have applied a custom policy for your services, you can skip Steps 2.a and 2.b for cloning a policy and directly set the Exploit Prevention rules in **blocking** mode (Steps 2.c and 2.d). ## Reviewing exploit attempts in App and API Protection{% #reviewing-exploit-attempts-in-app-and-api-protection %} After you have enabled Exploit Prevention, if App and API Protection detects an exploit attempt, it proceeds to block that request. Exploit Prevention detections are always accompanied by stack traces, which provide full visibility of where the vulnerability lies in your code, ensuring a clear path to remediation. In addition, App and API Protection also generates a signal correlating all the blocked traces and isolating the attacker IP addresses that are targeting your service(s). You can take action by blocking all attacking IPs. ## Further Reading{% #further-reading %} - [Protect against threats with Datadog App and API Protection](https://docs.datadoghq.com/security/application_security/) - [Other setup considerations and configuration options](https://docs.datadoghq.com/security/application_security/policies/library_configuration/) - [Protect your applications from zero-day attacks with Datadog Exploit Prevention](https://www.datadoghq.com/blog/datadog-exploit-prevention/) - [Understanding your WAF: How to address common gaps in web application security](https://www.datadoghq.com/blog/understanding-your-waf/)