Top 10 2017-A7-Insufficient Attack Protection - Revision history

T.Gigler: REDIRECT to 1sr line

2017-12-11T23:16:46Z

REDIRECT to 1sr line

T.Gigler: 'Top 10-2017-RC1 A7-Insufficient Attack Protection' has been rejected

2017-12-11T23:14:40Z

'Top 10-2017-RC1 A7-Insufficient Attack Protection' has been rejected

T.Gigler: Set parameters in Top_10:SummaryTableTemplate

2017-04-22T21:08:05Z

Set parameters in Top_10:SummaryTableTemplate

T.Gigler: Top 10 2017 RC1: A7 Insufficient Attack Protection

2017-04-22T10:42:04Z

Top 10 2017 RC1: A7 Insufficient Attack Protection

T.Gigler: Deleted doubled argument 'year=2017' in SubsectionAdvancedTemplate => final reference

2017-04-20T22:45:47Z

Deleted doubled argument 'year=2017' in SubsectionAdvancedTemplate => final reference

T.Gigler: Create an empty page for the new Top 10 2017-A7-Insufficient Attack Protection (RC1)

2017-04-20T22:27:11Z

Create an empty page for the new Top 10 2017-A7-Insufficient Attack Protection (RC1)

New page

{{Top_10_2013:TopTemplate
|usenext=2013NextLink
|next=A8-{{Top_10_2010:ByTheNumbers
|8
|year=2017
|language=en}}
|useprev=2013PrevLink
|prev=A6-{{Top_10_2010:ByTheNumbers
|6
|year=2017
|language=en}}
|year=2017
|language=en
}}

{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}}
{{Top_10:SummaryTableTemplate|exploitability=2|prevalence=3|detectability=1|impact=2|year=2017|language=en}}
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>


</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>


</td>
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>


</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>


</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>


</td>
{{Top_10_2010:SummaryTableEndTemplate|year=2017}}

{{Top_10:SubsectionTableBeginTemplate|year=2017|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=7|year=2017|language=en}}

{{Top_10_2010:SubsectionAdvancedTemplate|year=2017|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2017|language=en}}

{{Top_10_2010:SubsectionAdvancedTemplate|year=2017|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=7|year=2017|language=en}}



{{Top_10_2010:SubsectionAdvancedTemplate|year=2017|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2017|language=en}}
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate|year=2017}}
*
{{Top_10_2010:SubSubsectionExternalReferencesTemplate|year=2017|language=en}}
*

{{Top_10_2013:BottomAdvancedTemplate
|type={{Top_10_2010:StyleTemplate}}
|usenext=2013NextLink
|next=A8-{{Top_10_2010:ByTheNumbers
|8
|year=2017
|language=en}}
|useprev=2013PrevLink
|prev=A6-{{Top_10_2010:ByTheNumbers
|6
|year=2017
|language=en}}
|year=2017
|language=en
}}

← Older revision		Revision as of 23:16, 11 December 2017
Line 1:		Line 1:
−	~~'Top 10-2017-RC1 A7-Insufficient Attack Protection' has been rejected~~
	#REDIRECT [[Top 10-2017 A7-Cross-Site Scripting (XSS)]]		#REDIRECT [[Top 10-2017 A7-Cross-Site Scripting (XSS)]]
		+	<!--- 'Top 10-2017-RC1 A7-Insufficient Attack Protection' has been rejected --->

← Older revision		Revision as of 23:14, 11 December 2017
Line 1:		Line 1:
−	~~{{Top_10_2013:TopTemplate~~	+	'Top 10-2017-RC1 A7-Insufficient Attack Protection' has been rejected
−	~~\|usenext=2013NextLink~~	+	#REDIRECT [[Top 10-2017 A7-Cross-Site Scripting (XSS)]]
−	~~\|next=A8-{{Top_10_2010:ByTheNumbers~~
−	\|8
−	~~\|year=2017~~
−	~~\|language=en}}~~
−	~~\|useprev=2013PrevLink~~
−	~~\|prev=A6-{{Top_10_2010:ByTheNumbers~~
−	\|6
−	~~\|year=2017~~
−	~~\|language=en}}~~
−	~~\|year=2017~~
−	~~\|language=en~~
−	}}
−
−	~~{{Top_10_2010:SummaryTableHeaderBeginTemplate\|year=2017\|language=en}}~~
−	~~{{Top_10:SummaryTableTemplate\|exploitability=1\|prevalence=2\|detectability=2\|impact=2\|year=2017\|language=en}}~~
−	~~{{Top_10_2010:SummaryTableHeaderEndTemplate\|year=2017}}~~
−	~~<td {{Template:~~Top 10 ~~2010:SummaryTableRowStyleTemplate\|year=2017}}>~~
−	~~<!--- Threat Agents: --~~-~~>Consider anyone with network access can send your application a request. Does your application detect and respond to both manual and automated attacks?~~
−	~~</td>~~
−	~~<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate\|year=~~2017~~}}>~~
−	~~<!-~~-- Attack ~~Vectors --->Attackers, known users or anonymous, send in attacks. Does the application or API detect the attack? How does it respond? Can it thwart attacks against known vulnerabilities?~~
−	~~</td>~~
−	~~<td colspan=2 {{Template:~~Top 10 ~~2010:SummaryTableRowStyleTemplate\|year=2017}}>~~
−	~~<!--- Security Weakness~~ --->Applications and APIs are attacked all the time. Most applications and APIs detect invalid input, but simply reject it, letting the attacker attack again and again. Such attacks indicate a malicious or compromised user probing or exploiting vulnerabilities. Detecting and blocking both manual and automated attacks, is one of the most effective ways to increase security. How quickly can you patch a critical vulnerability you just discovered?
−	~~</td>~~
−	~~<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate\|year=~~2017~~}}>~~
−	<!--- Technical Impacts --->Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to 100%. Not quickly deploying patches aids attackers.
−	~~</td>~~
−	~~<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate\|year=2017}}>~~
−	<!--- Business Impacts --->Consider the impact of insufficient attack protection on the business. Successful attacks may not be prevented, go undiscovered for long periods of time, and expand far beyond their initial footprint.
−	~~</td>~~
−	~~{{Top_10_2010:SummaryTableEndTemplate\|year=2017}}~~
−
−	{{Top_10:SubsectionTableBeginTemplate\|year=2017\|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|subsection=vulnerableTo\|position=firstLeft\|risk=7\|year=2017\|language=en}}
−	Detecting, responding to, and blocking attacks makes applications dramatically harder to exploit yet almost no applications or APIs have such protection. Critical vulnerabilities in both custom code and components are also discovered all the time, yet organizations frequently take weeks or even months to roll out new defenses.
−
−	It should be very obvious if attack detection and response isn’t in place. Simply try manual attacks or run a scanner against the application. The application or API should identify the attacks, block any viable attacks, and provide details on the attacker and characteristics of the attack. If you can’t quickly roll out virtual and/or actual patches when a critical vulnerability is discovered, you are left exposed to attack.
−
−	~~Be sure to understand what types of attacks are covered by attack protection. Is it only~~ XSS and SQL Injection? You can use technologies like <u>[[Web_Application_Firewall\|WAFs]]</u>, RASP, and <u>[[OWASP_AppSensor_Project\|OWASP AppSensor]]</u> to detect or block attacks, and/or virtually patch vulnerabilities.
−
−	~~{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|subsection=howPrevent\|position=right\|risk=7\|year=2017\|language=en}}~~
−	~~There are three primary goals for sufficient attack protection:~~
−	~~# <b>Detect Attacks:</b> Did something occur that is impossible for legitimate users to cause (e.g., an input a legitimate client can’t generate~~)~~? Is the application being used in a way that an ordinary user would never do (e.g., tempo too high, atypical input, unusual usage patterns, repeated requests)?~~
−	# <b>Respond to Attacks:</b> Logs and notifications are critical to timely response. Decide whether to automatically block requests, IP addresses, or IP ranges. Consider disabling or monitoring misbehaving user accounts.
−	~~# <b>Patch Quickly:</b> If your dev process can’t push out critical patches in a day, deploy a <u>[[Virtual_Patching_Best_Practices\|virtual patch~~]]~~</u> that analyzes HTTP traffic, data flow, and/or code execution and prevents vulnerabilities from being exploited.~~
−
−	~~{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|subsection=example\|position=left\|risk=7\|year=2017\|language=en}}~~
−	~~<u>'''Scenario #1:'''</u> Attacker uses automated tool like <u>[[ZAP\|OWASP ZAP]]</u> or <u>[http://sqlmap.org/ SQLMap]</u> to detect vulnerabilities and possibly exploit them.~~
−	~~Attack detection should recognize the application is being targeted with unusual requests and high volume. Automated scans should be easy to distinguish from normal traffic.~~
−
−	~~<u>'''Scenario #2:'''</u> A skilled human attacker carefully probes for potential vulnerabilities, eventually finding an obscure flaw.~~
−
−	While more difficult to detect, this attack still involves requests that a normal user would never send, such as input not allowed by the UI. Tracking this attacker may require building a case over time that demonstrates malicious intent.
−
−	~~<u>'''Scenario #3:'''</u> Attacker starts exploiting a vulnerability in your application that your current attack protection fails to block.~~
−
−	~~How quickly can you deploy a real or virtual patch to block continued exploitation of this vulnerability?~~
−
−	~~{{Top_10_2010:SubsectionAdvancedTemplate\|type={{Top_10_2010:StyleTemplate}}\|subsection=references\|position=right\|risk=7\|year=2017\|language=en}}~~
−	~~{{Top_10_2010:SubSubsectionOWASPReferencesTemplate\|year=2017}}~~
−	* <u>[[Intrusion_Detection\|OWASP Article on Intrusion Detection]]</u>
−	* <u>[[OWASP_AppSensor_Project\|OWASP AppSensor]]</u>
−	* <u>[[OWASP_Automated_Threats_to_Web_Applications\|OWASP Automated Threats Project]]</u>
−	* <u>[[Credential_Stuffing_Prevention_Cheat_Sheet\|OWASP Credential Stuffing Cheat Sheet]]</u>
−	* <u>[[Virtual_Patching_Cheat_Sheet\|OWASP Virtual Patching Cheat Sheet]]</u>
−	* <u>[[:Category:OWASP_ModSecurity_Core_Rule_Set_Project\|OWASP Mod Security Core Ruleset]]</u>
−
−	~~{{Top_10_2010:SubSubsectionExternalReferencesTemplate\|year=2017\|language=en}}~~
−	* <u>[http://projects.webappsec.org/w/page/13246938/Insufficient%20Anti-automation WASC Article on Insufficient Anti-automation]</u>
−	* <u>[http://cwe.mitre.org/data/definitions/778.html CWE Entry 778 - Insufficient Logging]</u>
−	* <u>[http://cwe.mitre.org/data/definitions/799.html CWE Entry 799 - Improper Control of Interaction Frequency]</u>
−
−	~~{{Top_10_2013:BottomAdvancedTemplate~~
−	~~\|type={{Top_10_2010:StyleTemplate}}~~
−	~~\|usenext=2013NextLink~~
−	~~\|next=A8-{{Top_10_2010:ByTheNumbers~~
−	\|8
−	~~\|year=2017~~
−	~~\|language=en}}~~
−	~~\|useprev=2013PrevLink~~
−	~~\|prev=A6-{{Top_10_2010:ByTheNumbers~~
−	\|6
−	~~\|year=2017~~
−	~~\|language=en}}~~
−	~~\|year=2017~~
−	~~\|language=en~~
−	}}

@@ Line 15: / Line 15: @@
 {{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}}
-  {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=3|detectability=1|impact=2|year=2017|language=en}}
+  {{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=2|year=2017|language=en}}
 {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>

@@ Line 18: / Line 18: @@
 {{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
-<!--- Threat Agents: --->
+<!--- Threat Agents: --->Consider anyone with network access can send your application a request. Does your application detect and respond to both manual and automated attacks?
 </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
-<!--- Attack Vectors --->
+<!--- Attack Vectors --->Attackers, known users or anonymous, send in attacks. Does the application or API detect the attack? How does it respond? Can it thwart attacks against known vulnerabilities?
 </td>
       <td colspan=2  {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
-<!--- Security Weakness --->
+<!--- Security Weakness --->Applications and APIs are attacked all the time. Most applications and APIs detect invalid input, but simply reject it, letting the attacker attack again and again. Such attacks indicate a malicious or compromised user probing or exploiting vulnerabilities. Detecting and blocking both manual and automated attacks, is one of the most effective ways to increase security. How quickly can you patch a critical vulnerability you just discovered?
 </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
-<!--- Technical Impacts --->
+<!--- Technical Impacts --->Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to 100%. Not quickly deploying patches aids attackers.
 </td>
       <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
-<!--- Business Impacts  --->
+<!--- Business Impacts  --->Consider the impact of insufficient attack protection on the business. Successful attacks may not be prevented, go undiscovered for long periods of time, and expand far beyond their initial footprint.
 </td>
 {{Top_10_2010:SummaryTableEndTemplate|year=2017}}
 {{Top_10:SubsectionTableBeginTemplate|year=2017|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=7|year=2017|language=en}}
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2017|language=en}}
-{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=7|year=2017|language=en}}
+<u>'''Scenario #2:'''</u> A skilled human attacker carefully probes for potential vulnerabilities, eventually finding an obscure flaw.
-<!--- {{Top_10_2010:ExampleBeginTemplate|year=2017}}
+How quickly can you deploy a real or virtual patch to block continued exploitation of this vulnerability?
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2017|language=en}}
 {{Top_10_2010:SubSubsectionOWASPReferencesTemplate|year=2017}}
+* <u>[[Intrusion_Detection|OWASP Article on Intrusion Detection]]</u>
 {{Top_10_2010:SubSubsectionExternalReferencesTemplate|year=2017|language=en}}
+* <u>[http://projects.webappsec.org/w/page/13246938/Insufficient%20Anti-automation WASC Article on Insufficient Anti-automation]</u>
 {{Top_10_2013:BottomAdvancedTemplate

@@ Line 42: / Line 42: @@
-{{Top_10_2010:SubsectionAdvancedTemplate|year=2017|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2017|language=en}}
+{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=7|year=2017|language=en}}
-{{Top_10_2010:SubsectionAdvancedTemplate|year=2017|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=7|year=2017|language=en}}
+{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=7|year=2017|language=en}}
@@ Line 51: / Line 51: @@
 {{Top_10_2010:ExampleEndTemplate}} --->
-{{Top_10_2010:SubsectionAdvancedTemplate|year=2017|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2017|language=en}}
+{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=7|year=2017|language=en}}
 {{Top_10_2010:SubSubsectionOWASPReferencesTemplate|year=2017}}
+*