This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AppSensor Project"

From OWASP
Jump to: navigation, search
(Blanked the page)
Line 1: Line 1:
 +
{{OWASP Book|5984542}}
  
 +
 +
{{ProjectTabs |
 +
Proj_About=
 +
{{:Project Information:template AppSensor Project}}
 +
 +
|
 +
 +
Proj_Documentation=
 +
== AppSensor Overview ==
 +
 +
If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change!
 +
 +
As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.
 +
 +
In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application
 +
 +
== Is this hard?==
 +
No, simple checks are used to detect malicious activity. A security exception is then thrown and the AppSensor/ESAPI framework takes care of the rest.
 +
 +
== Get AppSensor ==
 +
Download the AppSensor book for free at [http://www.lulu.com/product/download/owasp-appsensor/4520005  lulu.com]
 +
 +
Order a printed version for under $10 [http://www.lulu.com/content/5984542 lulu.com]
 +
 +
|
 +
 +
Proj_Contributors=
 +
 +
 +
|
 +
 +
Proj_Mail=
 +
 +
AppSensor-Tutorial [http://code.google.com/p/appsensor/source/browse/trunk/AppSensor-Tutorial/ Now Available]!
 +
 +
AppSensor Presented at AppSecUSA
 +
 +
 +
==== Project Roadmap  ====
 +
 +
'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]
 +
 +
'''July, 2010''' - ESAPI Integration Complete!
 +
 +
'''June, 2010''' - Active ESAPI Integration Underway
 +
 +
'''November, 2009''' [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf OWASP DC, November 2009]
 +
 +
'''Current:''' v1.2 in the works, demo application in development
 +
 +
'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])
 +
 +
'''January, 2009''' - v1.1 Released - Beta Status
 +
 +
'''November, 2008''' - AppSensor Talk at OWASP Portugal
 +
 +
'''November, 2008''' - v1.0 Released - Beta Status
 +
 +
'''April 16, 2008''' - Project Begins
 +
 +
<br>
 +
 +
==== Detection Points  ====
 +
 +
 +
Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.
 +
 +
Full info found '''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Here] '''
 +
 +
'''Legend:'''
 +
 +
RE - Request
 +
 +
AE - Authentication
 +
 +
SE - Session
 +
 +
ACE - Acess Control
 +
 +
IE - Input
 +
 +
EE - Encoding
 +
 +
CIE - Command Injection
 +
 +
FIO - File IO
 +
 +
HT - Honey Trap
 +
 +
UT - User Trend
 +
 +
STE - System Trend
 +
 +
RP - Reputation
 +
 +
 +
'''Signature Based Events'''
 +
 +
ID Event
 +
 +
RE1 Unexpected HTTP Command
 +
 +
RE2 Attempt to Invoke Unsupported HTTP Method
 +
 +
RE3 GET When Expecting POST
 +
 +
RE4 POST When Expecting GET
 +
 +
RE5 Additional/Duplicated Data in Request
 +
 +
RE6 Data Missing from Request
 +
 +
AE1 Use Of Multiple Usernames
 +
 +
AE2 Multiple Failed Passwords
 +
 +
AE3 High Rate of Login Attempts
 +
 +
AE4 Unexpected Quantity of Characters in Username
 +
 +
AE5 Unexpected Quantity of Characters in Password
 +
 +
AE6 Unexpected Type of Character in Username
 +
 +
AE7 Unexpected Type of Character in Password
 +
 +
AE8 Providing Only the Username
 +
 +
AE9 Providing Only the Password
 +
 +
AE10 Adding POST Variable
 +
 +
AE11 Missing POST Variable
 +
 +
AE12 Utilization of Common Usernames
 +
 +
SE1 Modifying Existing Cookie
 +
 +
SE2 Adding New Cookie
 +
 +
SE3 Deleting Existing Cookie
 +
 +
SE4 Substituting Another User's Valid Session ID or Cookie
 +
 +
SE5 Source IP Address Changes During Session
 +
 +
SE6 Change Of User Agent Mid Session
 +
 +
ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt
 +
 +
ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt
 +
 +
ACE3 Force Browsing Attempt
 +
 +
ACE4 Evading Presentation Access Control Through Custom POST
 +
 +
IE1 Cross Site Scripting Attempt
 +
 +
IE2 Violation of Implemented White Lists
 +
 +
IE3 Violation Of Implemented Black Lists
 +
 +
IE4 Violation of Input Data Integrity
 +
 +
IE5 Violation of Stored Business Data Integrity
 +
 +
IE6 Violation of Security Log Integrity
 +
 +
EE1 Double Encoded Character
 +
 +
EE2 Unexpected Encoding Used
 +
 +
CIE1 Blacklist Inspection for Common SQL Injection Values
 +
 +
CIE2 Detect Abnormal Quantity of Returned Records
 +
 +
CIE3 Null Byte Character in File Request
 +
 +
CIE4 Carriage Return or Line Feed Character In File Request
 +
 +
FIO1 Detect Large Individual File
 +
 +
FIO2 Detect Large Number of File Uploads
 +
 +
HT1 Alteration to Honey Trap Data
 +
 +
HT2 Honey Trap Resource Requested
 +
 +
HT3 Honey Trap Data Used
 +
 +
'''Behavior Based Events'''<br>
 +
 +
UT1 Irregular Use of Application
 +
 +
UT2 Speed of Application Use
 +
 +
UT3 Frequency of Site Use
 +
 +
UT4 Frequency of Feature Use
 +
 +
STE1 High Number of Logouts Across The Site
 +
 +
STE2 High Number of Logins Across The Site
 +
 +
STE3 High Number of Same Transaction Across The Site
 +
 +
RP1 Suspicious or Disallowed User IP Address
 +
 +
RP2 Suspicious External User Behavior
 +
 +
RP3 Suspicious Client-Side Behavior
 +
 +
RP4 Change to Environment Threat Level
 +
 +
 +
==== Media  ====
 +
 +
July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]
 +
 +
June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application
 +
 +
June, 2010 - Video presentation - [http://michael-coates.blogspot.com/2010/06/online-presentation-thursday-automated.html Automated Application Defenses to Thwart Advanced Attackers]
 +
 +
November, 2009 -  AppSec DC - [http://www.owasp.org/images/0/06/Defend_Yourself-Integrating_Real_Time_Defenses_into_Online_Applications-Michael_Coates.pdf Defend Yourself: Integrating Real Time Defenses into Online Applications]
 +
 +
May, 2009 - [http://www.owasp.org/download/jmanico/owasp_podcast_51.mp3 OWASP Podcast #51 ]
 +
 +
May, 2009 - AppSec EU Poland - [https://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx Real Time Defenses against Application Worms and Malicious Attackers]
 +
 +
November, 2008 - [https://www.owasp.org/images/7/77/Presentation_AppSensor.ppt OWASP Summit Portugal 2008 PPT]
 +
 +
 +
'''Video Demos of AppSensor'''
 +
 +
[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]
 +
 +
[http://www.youtube.com/watch?v=CekUMk_VRV8 Detecting XSS Probes]
 +
 +
[http://www.youtube.com/watch?v=LfD4y67qdWE Detecting URL Tampering]
 +
 +
[http://www.youtube.com/watch?v=1D6nTlmYjhY Detecting Verb Tampering]
 +
 +
 +
 +
}}
 +
 +
[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Beta_Quality_Document]]

Revision as of 16:35, 6 October 2010

OWASP Books logo.png This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.


About

PROJECT IDENTIFICATION
Project Name OWASP AppSensor Project - Detect and Respond to Attacks from Within the Application
Short Project Description

Real Time Application Attack Detection and Response

Overview

Article on why Application Based Intrusion Detection is a must for critical applications.

The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.

Detection

AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.

Response

AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.

Defending the Application

An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

Project key Information Project Leaders:

Michael Coates
John Melton
Colin Watson
Dennis Groves

Project Contributors:

Ryan Barnett
Simon Bennetts
August Detlefsen
Dennis Groves
Randy Janida
Jim Manico
Giri Nambari
Eric Sheridan
John Stevens
Kevin Wall

Mailing list
Subscribe here
Use here 		License
Creative Commons Attribution Share Alike 3.0 		Project Type
Documentation 		Sponsor
OWASP SoC 08
Release Status Main Links Related Projects

Beta Quality
Please see here for complete information.

FAQ

AppSensor Overview

If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change!

As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.

In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application

Is this hard?

No, simple checks are used to detect malicious activity. A security exception is then thrown and the AppSensor/ESAPI framework takes care of the rest.

Get AppSensor

Download the AppSensor book for free at lulu.com

Order a printed version for under $10 lulu.com

News

AppSensor-Tutorial Now Available!

AppSensor Presented at AppSecUSA


Project Roadmap

September, 2010 - Presented at AppSecUSA slides

July, 2010 - ESAPI Integration Complete!

June, 2010 - Active ESAPI Integration Underway

November, 2009 OWASP DC, November 2009

Current: v1.2 in the works, demo application in development

May, 2009 - AppSec EU Poland - Presentation (PPT) (Video)

January, 2009 - v1.1 Released - Beta Status

November, 2008 - AppSensor Talk at OWASP Portugal

November, 2008 - v1.0 Released - Beta Status

April 16, 2008 - Project Begins


Detection Points

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

Full info found Here

Legend:

RE - Request

AE - Authentication

SE - Session

ACE - Acess Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation


Signature Based Events

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

Behavior Based Events

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 High Number of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level


Media

July, 2010 - OWASP London (UK) - Real Time Application Attack Detection and Response with OWASP AppSensor

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - Automated Application Defenses to Thwart Advanced Attackers

November, 2009 - AppSec DC - Defend Yourself: Integrating Real Time Defenses into Online Applications

May, 2009 - OWASP Podcast #51

May, 2009 - AppSec EU Poland - Real Time Defenses against Application Worms and Malicious Attackers

November, 2008 - OWASP Summit Portugal 2008 PPT


Video Demos of AppSensor

Detecting Multiple Attacks & Logging Out Attacker

Detecting XSS Probes

Detecting URL Tampering

Detecting Verb Tampering

Contributors/Users

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_AppSensor_Project&oldid=90866"