This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "AppSensor DetectionPoints"
(→SE5: Source IP Address Changes During Session: "indicating a possible session hijacking attack" added to description;Consideration text added to note changing I addresses and possible use of ASN.) |
(→SystemTrendException: Reputation category addeed with RP1, RP2, RP3 and RP4) |
||
Line 1,745: | Line 1,745: | ||
[[http://www.owasp.org/index.php/AppSensor_DetectionPoint_STE3#net .Net]] | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_STE3#net .Net]] | ||
[[http://www.owasp.org/index.php/AppSensor_DetectionPoint_STE3#php PHP]] | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_STE3#php PHP]] | ||
+ | </td></tr> | ||
+ | </table> | ||
+ | |||
+ | ==Reputation== | ||
+ | |||
+ | These reputation detection points could be treated either as: | ||
+ | * like any other detection point contributing to the count of suspicious events, or | ||
+ | * used to alter security logging, or the threshold levels, or associated response actions | ||
+ | The former could lead to a much higher false positive rate. | ||
+ | |||
+ | ===RP1: Suspicious or Disallowed User IP Address=== | ||
+ | |||
+ | <table style="border-style:double;border-width:3px;" > | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >id</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | RP1 | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >title</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Suspicious or Disallowed User IP Address | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >category</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Reputation | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >description</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | The user is identified as using an IP address associated with a blacklist | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >consideration</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Suspicious or invalid IP addresses and address ranges may be identified using a whitelist,internal blacklist, list of Tor nodes (e.g. https://torstat.xenobite.eu/), HTTP blacklist (e.g. | ||
+ | http://www.projecthoneypot.org/httpbl.php and Dshield http://www.dshield.org) list of spammers (e.g. Spamhaus http://www.spamhaus.org/) or known botnets (e.g. | ||
+ | http://www.shadowserver.org/wiki/). | ||
+ | |||
+ | "Suspicious" may also depend upon the type of user e.g. users in the "CMS manager" role should be using an internal network IP address, public users could be from anywhere, customers should only be accessing the application from a particular geographical region, search engine robots should be from a limited range of IP addresses. | ||
+ | |||
+ | Take care that "suspicious" does not contribute to greater false positives. | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >examples</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Example 1: A user with an external IP address is accessing an internal application, which should not be occurring | ||
+ | |||
+ | Example 2: An authenticated user is accessing the application using a known Tor node, and attack detection thresholds are made more strict | ||
+ | |||
+ | Example 3: An authenticated user is accessing the application from a known trustworthy IP address, and thresholds for certain activity (e.g. input data validation errors) are relaxed slightly | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >code</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP1#java Java]] | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP1#net .Net]] | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP1#php PHP]] | ||
+ | </td></tr> | ||
+ | </table> | ||
+ | |||
+ | ===RP2: Suspicious External User Behavior=== | ||
+ | |||
+ | <table style="border-style:double;border-width:3px;" > | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >id</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | RP2 | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >title</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Suspicious External User Behavior | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >category</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Reputation | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >description</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | External (to the application) devices and systems (e.g. host and network IDS, file integrity monitoring, disk usage monitoring, anti-malware service, IPS, network firewall, web application firewall, web server logging, XML gateway, database firewall, SIEM) detect anomalous behavior by the user (e.g. session and/or IP address). | ||
+ | |||
+ | This information can be used by the application to contribute to its knowleage about a potential attacker. In some cases, the information could be detected by the application itself (e.g. XSS pattern black listing), but may be more effectively identified by the external device, or is not known to the application normally (e.g. requests for missing resources that the web server sees, but does not pass onto the application). | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >consideration</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | The greater the knowledge a device or system has about the application, the greater confidence can be given to evidence of suspicious behaviour. Therefore, for example, attempted SQL injection detexcted by a web application firewall (WAF) might be given greater weight than information from a network firewall about the IP address. | ||
+ | |||
+ | The power of AppSensor is its accuracy and low false positive rate, and the usage of external data should be carefully assessed to ensure it does not contribute to a higher false positive rate. | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >examples</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Example 1: An IDS has detected suspicious activity by a particular IP address, and this is used to temporarily tighten the attack detection thresholds for requests from all users in the same IP address range. | ||
+ | |||
+ | Example 2: An application is using the ModSecurity web application firewall with the [[:Category:OWASP ModSecurity Core Rule Set Project|Core Rule Set]], and utilises the anomaly score data passed forward in the X-WAF-Events and X-WAF-Score HTTP headers (optional rules in modsecurity_crs_49_header_tagging.conf) to adjust the level of application logging for each user | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >code</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP2#java Java]] | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP2#net .Net]] | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP2#php PHP]] | ||
+ | </td></tr> | ||
+ | </table> | ||
+ | |||
+ | ===RP3: Suspicious Client-Side Behavior=== | ||
+ | |||
+ | <table style="border-style:double;border-width:3px;" > | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >id</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | RP3 | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >title</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | RP3 Suspicious Client-Side Behavior | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >category</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Reputation | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >description</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | The application receives a report of client-side security policy exceptions | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >consideration</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Take care this information does not contribute to greater false positives. | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >examples</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Example 1: An internal corporate intranet application detects use of a non-standard workstation configuration (e.g. using JavaScript font or plugin detection see [[#SE6:_Change_Of_User_Agent_Mid_Session]]). An alert is raised for further investigation. | ||
+ | |||
+ | Example 2: An online banking application receives details of suspicious client-side behaviour that would not be expected in normal application use, via a [http://people.mozilla.com/~bsterne/content-security-policy/ Firefox Content Security Policy] [https://wiki.mozilla.org/Security/CSP/Specification#Violation_Report_Syntax violation report]. | ||
+ | The application increases logging for the user, and decreases the monetary limit at which the user's payments require manual authorisation by bank staff. | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >code</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP3#java Java]] | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP3#net .Net]] | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP3#php PHP]] | ||
+ | </td></tr> | ||
+ | </table> | ||
+ | |||
+ | ===RP4: Change to Environment Threat Level=== | ||
+ | |||
+ | <table style="border-style:double;border-width:3px;" > | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >id</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | RP4 | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >title</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Change to Environment Threat Level | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >category</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Reputation | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >description</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | The general threat level (e.g. general risk of attack from the Internet, or specific targetted attacks against an organisation) is | ||
+ | elevated. This could also be used to change response sensitivity due to short-term effects such as application upgrades/patching. | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >consideration</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | This input could be used to alter thresholds for AppSensor responses. | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >examples</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | Example 1: A machine-readable threat index is read from a third-party and is used to control security logging levels. | ||
+ | |||
+ | Example 2: Business circumstances (e.g. increased attention by activists) raises the suspicion the application may be at increased risk of mis-use, and response thresholds for attack detection are tightened for non-authenticated users. | ||
+ | </td></tr> | ||
+ | <tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >code</td> | ||
+ | <td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" > | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP4#java Java]] | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP4#net .Net]] | ||
+ | [[http://www.owasp.org/index.php/AppSensor_DetectionPoint_RP4#php PHP]] | ||
</td></tr> | </td></tr> | ||
</table> | </table> |
Revision as of 11:42, 1 July 2010
- 1 About This Document
- 1.1 RequestException
- 1.2 AuthenticationException
- 1.2.1 AE1: Use Of Multiple Usernames
- 1.2.2 AE2: Multiple Failed Passwords
- 1.2.3 AE3: High Rate Of Login Attempts
- 1.2.4 AE4: Unexpected Quantity Of Characters In Username
- 1.2.5 AE5: Unexpected Quantity Of Characters In Password
- 1.2.6 AE6: Unexpected Types Of Characters In Username
- 1.2.7 AE7: Unexpected Types Of Characters In Password
- 1.2.8 AE8: Providing Only The Username
- 1.2.9 AE9: Providing Only The Password
- 1.2.10 AE10: Adding Additional POST Variables
- 1.2.11 AE11: Removing POST Variables
- 1.2.12 AE12: Utilization of Common User Names
- 1.3 SessionException
- 1.4 AccessControlException
- 1.5 InputException
- 1.6 EncodingException
- 1.7 CommandInjectionException
- 1.8 FileIOException
- 1.9 Honey Trap
- 1.10 UserTrendException
- 1.11 SystemTrendException
- 1.12 Reputation
About This Document
These detection points are part of the OWASP AppSensor project which advocates bringing intelligent intrusion detection inside the application. These detection points can be used to identify a malicious user that is probing for vulnerabilities or weaknesses within your application.
Read more about why application logging is the way to go.
RequestException
RE1: Unexpected HTTP Commands
id |
RE1 |
title |
Unexpected HTTP Commands |
category |
RequestException |
description |
An HTTP request is received which contains unexpected commands. A list of accepted commands should be generated (i.e. GET and POST) and all other HTTP commands should generate an event. |
consideration | |
examples |
Instead of a GET or POST request, the user sends a TRACE request to the application. Cross references:
|
code |
RE2: Attempts To Invoke Unsupported HTTP Methods
id |
RE2 |
title |
Attempts To Invoke Unsupported HTTP Methods |
category |
RequestException |
description |
An http request is received which contains a non-existent HTTP command (does not match anything in this list: HEAD,GET,POST,PUT,DELETE,TRACE,OPTIONS,CONNECT) |
consideration | |
examples |
Instead of a GET or POST request, the user sends a TEST request to the application (TEST is not a valid http request) |
code |
RE3: GET When Expecting POST
id |
RE3 |
title |
GET When Expecting POST |
category |
RequestException |
description |
A page which is expecting only POST requests, receives a GET. |
consideration | |
examples |
The user sends a GET request to a page which has only been used for POSTs |
code |
RE4: POST When Expecting GET
id |
RE4 |
title |
POST When Expecting GET |
category |
RequestException |
description |
A page which is expecting only GET requests, receives a POST |
consideration | |
examples |
The user uses a proxy tool to build a custom POST request and sends it to a page which has been accessed by GET requests. |
code |
RE5: Additional/Duplicated Data in Request
id |
RE5 |
title |
Additional/Duplicated Data in Request |
category |
RequestException |
description |
Additional unexpected parameters or HTTP headers, or duplicates, are received with the request. |
consideration |
Additional parameters may be an attempt to override values or to exploit unexposed functionality. Duplicated parameters may be an indication of attempted HTTP parameter pollution. Beware of firing this detector when additional cookies, not used by the application, are found (as opposed to duplicated cookies) since these may relate to third-party code (e.g. advertisements, analytics) or some other application. Note that extra HTTP headers may be added by intermediate proxies, and unless the network configuration is fixed (an internal network perhaps), additional headers cannot be controlled and thus cannot be used to infer existence of a potential attacker. |
examples |
Example 1: Additional form or URL parameters submitted with request (e.g. debug=1, servervariable=2000) Example 2: A parameter is defined more than once in the URL Query String Example 3: An HTTP header is duplicated Example 4: An additional HTTP header is found |
code |
RE6: Data Missing from Request
id |
RE6 |
title |
Data Missing from Request |
category |
RequestException |
description |
Expected parameters or HTTP headers are missing from the request. |
consideration |
Bookmarking and use of a browser's "back button" can lead to requests without the expected parameters. |
examples |
Example 1: A page is requested without any of the required form paramaters. Example 2: The HTTP-Accept header is not present in a request. |
code |
AuthenticationException
AE1: Use Of Multiple Usernames
id |
AE1 |
title |
Use Of Multiple Usernames |
category |
AuthenticationException |
description |
Multiple usernames are attempted when logging into the application. The assignment of login attempts to a user can be based off of a sessionID given to the user when they visit the website. Correlating based on IP address is difficult since multiple users could be using the site from the same IP address (e.g. corporate NAT) |
consideration | |
examples |
User first tries username bob, then username sue, then steve etc |
code |
AE2: Multiple Failed Passwords
id |
AE2 |
title |
Multiple Failed Passwords |
category |
AuthenticationException |
description |
For a single username, multiple bad passwords are entered |
consideration | |
examples |
User tries username:password combination of user:pass1, user:pass2, user:pass3, etc |
code |
AE3: High Rate Of Login Attempts
id |
AE3 |
title |
High Rate Of Login Attempts |
category |
AuthenticationException |
description |
The number of logins sent per minute becomes too high indicating an automated login attack |
consideration | |
examples |
User sends the following login attempts within 1 second. user1:pass1, user1:pass2, user2:pass3, user2:pass4 |
code |
AE4: Unexpected Quantity Of Characters In Username
id |
AE4 |
title |
Unexpected Quantity Of Characters In Username |
category |
AuthenticationException |
description |
The user provides a username with a large number of characters |
consideration | |
examples |
The user sends a username that is 200 characters long |
code |
AE5: Unexpected Quantity Of Characters In Password
id |
AE5 |
title |
Unexpected Quantity Of Characters In Password |
category |
AuthenticationException |
description |
The user provides a password with a large number of characters |
consideration | |
examples |
The user sends a password that is 200 characters long |
code |
AE6: Unexpected Types Of Characters In Username
id |
AE6 |
title |
Unexpected Types Of Characters In Username |
category |
AuthenticationException |
description |
The user provides non-printable characters such as the null byte. Any characters below hex value 20 or above 7E are considered illegal (decimal values of below 32 or above 126) |
consideration | |
examples |
The user sends a username that contains ascii characters below 20 or above 7E |
code |
AE7: Unexpected Types Of Characters In Password
id |
AE7 |
title |
Unexpected Types Of Characters In Password |
category |
AuthenticationException |
description |
The user provides characters such as the null byte, alt-characters, (WHAT IS THE NAME FOR THOSE) |
consideration | |
examples |
The user sends a password that contains ascii characters below 20 or above 7E |
code |
AE8: Providing Only The Username
id |
AE8 |
title |
Providing Only The Username |
category |
AuthenticationException |
description |
The user submits a post request which only contains the username variable. The password variable has been removed. This is different from only providing the username in the login form since in that case the password variable would be present and empty. |
consideration | |
examples |
The user uses a proxy tool to remove the password variable from the submitted post request. |
code |
AE9: Providing Only The Password
id |
AE9 |
title |
Providing Only The Password |
category |
AuthenticationException |
description |
The user submits a post request which only contains the password variable. The username variable has been removed. This is different from only providing the password in the login form since in that case the username variable would be present and empty. |
consideration | |
examples |
The user uses a proxy tool to remove the username variable from the submitted post request. |
code |
AE10: Adding Additional POST Variables
id |
AE10 |
title |
Adding Additional POST Variables |
category |
AuthenticationException |
description |
Additional, unexpected post variables are received during an authentication request. |
consideration | |
examples |
The user uses a proxy tool to add the additional post variable of admin=true to the post request |
code |
AE11: Removing POST Variables
id |
AE11 |
title |
Removing POST Variables |
category |
AuthenticationException |
description |
Expected post variables are not present within the submitted authentication requests |
consideration | |
examples |
The user uses a proxy tool to remove an additional post variable, such as guest=true, from the post request |
code |
AE12: Utilization of Common User Names
id |
AE12 |
title |
Utilization of Common User Names |
category |
AuthenticationException |
description |
Common dictionary user names are used to attempt to log into the application. |
consideration | |
examples |
Log in attempted with username "administrator", "admin" or "test" |
code |
SessionException
SE1: Modifying Existing Cookies
id |
SE1 |
title |
Modifying Existing Cookies |
category |
SessionException |
description |
A request is received containing a cookie with a modified value. This could be determined if the cookie is modified to an illegal value. |
consideration | |
examples |
The user uses a proxy tool to change the encrypted cookie to an alternative value which does not properly decode within the application. Or, the user modifies an unencrypted cookie and sets an illegal value for a particular variable. |
code |
SE2: Adding New Cookies
id |
SE2 |
title |
Adding New Cookies |
category |
SessionException |
description |
A request is received which contains additional cookies that are not expected by the application. |
consideration | |
examples |
The user uses a proxy tool to add additional cookies to the request. |
code |
SE3: Deleting Existing Cookies
id |
SE3 |
title |
Deleting Existing Cookies |
category |
SessionException |
description |
A request is received which does not contain the expected cookies. |
consideration | |
examples |
The user uses a proxy tool to remove cookies or portions of cookies from a request. |
code |
SE4: Substituting Another User's Valid Session ID Or Cookie
id |
SE4 |
title |
Substituting Another User's Valid Session ID Or Cookie |
category |
SessionException |
description |
A request is received which contains cookie data that is clearly from another user or another session. |
consideration | |
examples |
The user uses a proxy tool to substitute valid data from another user or session into the cookie. An example would be changing some sort of identification number within the cookie. |
code |
SE5: Source IP Address Changes During Session
id |
SE5 |
title |
Source IP Address Changes During Session |
category |
SessionException |
description |
Valid requests, containing valid session credentials, are received from multiple source IP addresses indicating a possible session hijacking attack. |
consideration |
A full IP address may not be constant for some users during normal use. Enforcing single fixed IP addresses for each session in an intranet application may be valid. However, if the application is accessible over public networks, changing IP address cannot be excluded and it may be more useful to consider fixing just part of the IP address, or looking for more significant changes such as when the user's IP address changes from US to Europe (see Autonomous System Number (ASN)). Note: source port number should not be used in checks since this usually changes very frequently. |
examples |
User A's session is compromised and User B begins using the account. The requests originating from User B will possibly contain a different source IP address the User A. The source IP addresses could be the same if both users where behind the same NAT. |
code |
SE6: Change Of User Agent Mid Session
id |
SE6 |
title |
Change Of User Agent Mid Session |
category |
SessionException |
description |
The User-Agent value of the header changes during a session. This indicates a different browser is now being used. Although this value is under the control of the sender, a change in this may indicates that the session has been compromised and is being used another individual. This will likely not be the case that the user has simply copied and pasted the URL from one browser to another on the same system because this action would not copy over the appropriate session identifiers. |
consideration |
Optionally also include other HTTP headers in this check. For example, the Accept-Encoding and Accept-Language headers do not normally change and could be concatenated with the User-Agent and hashed to created an identifier. The ideas described in Panopticlick and Javascript Browser Fingerprinting can also be used to fingerprint a particular client system but require the use of client-side code. Application owners should check the legality of collecting data, and whether it is considered "personal data" which may have additional constraints in some jurisdictions. |
examples |
Midsession, the UserAgent changes from Firefox to Internet Explorer |
code |
AccessControlException
ACE1: Modifying URL Arguments Within a GET For Direct Object Access Attempts
id |
ACE1 |
title |
Modifying URL Arguments Within a GET For Direct Object Access Attempts |
category |
AccessControlException |
description |
The application is designed to use an identifier for a particular object, such as using categoryID=4 or user=guest within the URL. A user modifies this value in an attempt to access unauthorized information. This exception should be thrown anytime the identifier received from the user is not authorized due to the identifier being nonexistent or the identifier not authorized for that user. |
consideration | |
examples |
The user modifies the following URL from FIX THIS |
code |
ACE2: Modifying Parameters Within A POST For Direct Object Access Attempts
id |
ACE2 |
title |
Modifying Parameters Within A POST For Direct Object Access Attempts |
category |
AccessControlException |
description |
The value of a non-free text html form element (i.e. drop down box, radio button) is modified to an illegal value. The value either does not exist or is not authorized for the user. |
consideration | |
examples |
The user uses a proxy tool to intercept a post request and changes the posted value to a value that was not available through the normal display. For example, the user encounters a dropdown box containing the numbers 1 through 10. The user selects 5 and then intercepts the post to change the submitted value to 100. |
code |
ACE3: Force Browsing Attempts
id |
ACE3 |
title |
Force Browsing Attempts |
category |
AccessControlException |
description |
An authenticated or unauthenticated user sends a request for a non-existent resource (e.g. page, directory listing, image, file, etc), or a resource that is not authorized for that user. |
consideration | |
examples |
Example 1: The user is authenticated and requests site.com/PageThatDoesNotExist Example 2: The user is authenticated and requests a video they are not authorized to download/view Example 3: An unauthenticated user (perhaps with a session ID) requests a listing of a directory detailed in the site's robots.txt file |
code |
ACE4: Evading Presentation Access Control Through Custom Posts
id |
ACE4 |
title |
Evading Presentation Access Control Through Custom Posts |
category |
AccessControlException |
description |
A post request is received which is not authorized for the current user and the user could not have performed this action without crafting a custom POST request. This situation is most likely to occur when presentation layer access controls are in place and have removed the user's ability to initiate the action through the presentation of the application. An attacker may be aware of the functionality and attempt to bypass this presentation layer access control by crafting their own custom message and sending this in an attempt to execute the functionality. |
consideration | |
examples |
The application contains the ability for an administrator to delete a user. This method is normally invoked by entering the username and posting to https://oursite/deleteuser Presentation layer access controls ensure the delete user form is not displayed to non-administrator users. A malicious user has access to a non-administrator account and is aware of the delete user functionality. The malicious user sends a custom crafted post message to https://oursite/deleteuser in an attempt to execute the delete user method. |
code |
InputException
IE1: Cross Site Scripting Attempt
id |
IE1 |
title |
Cross Site Scripting Attempt |
category |
InputException |
description |
The HTTP request contains common XSS attacks which are often used by attackers probing for XSS vulnerabilities. Detection should be configured to test all GET and POST values as well as all header names and values for the following values. |
consideration | |
examples |
The user uses a proxy tool to add an XSS attack to the header value and the """"displayname"""" post variable. The header value could be displayed to an admin viewing log files and the """"displayname"""" post variable may be stored in the application and displayed to other users. Note, the following xss attacks would be used by an attacker to probe for vulnerability. An actual XSS attack would be customized by the attacker. <script>alert(document.cookie);</script> <script>alert();</script> alert(String.fromCharCode(88,83,83)) <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert("XSS")> <BODY ONLOAD=alert('XSS')> Cross references:
|
code |
IE2: Violations Of Implemented White Lists
id |
IE2 |
title |
Violations Of Implemented White Lists |
category |
InputException |
description |
The application receives user-supplied data that violates an established white list validation. |
consideration | |
examples |
The user submits data that is not correct for the particular field. This may not be attack data necessarily, but repeated violations could be an attempt by the attacker to determine how an application works or to discover a flaw. |
code |
IE3: Violations Of Implemented Black Lists
id |
IE3 |
title |
Violations Of Implemented Black Lists |
category |
InputException |
description |
The application receives user-supplied data that violates an established black list validation. |
consideration | |
examples |
The application receives user-supplied data that violates an established black list validation. This may not be attack data necessarily, but repeated violations could be an attempt by the attacker to determine how an application works or to discover a flaw or to exploit a flaw. This black list approach suffers from the potential for greater false positives than IE2 above, and cannot be used to identify all potential malicious data. Example 1: URL in comment field identified as suspected phishing and malware pages using Google Safe Browsing API) Example 2: Parameter value matches a known SQL injection pattern. Example 3: Parameter value matches a known XSS pattern. |
code |
IE4: Violation of Input Data Integrity
id |
IE4 |
title |
Violations Of Implemented Black Lists |
category |
InputException |
description |
The application receives HTTP header or body parameter values which have been tampered with when no change should have occurred. |
consideration | |
examples |
Example 1: Hidden form field modified by client. Example 2: Select list value submitted in response, not sent by server as an available option value Example 3: Cookie set by server has been manipulated by the client. Example 4: Cookie created by client instead of by the server. |
code |
EncodingException
EE1: Double Encoded Characters
id |
EE1 |
title |
Double Encoded Characters |
category |
EncodingException |
description |
An HTTP request is received which contains values that have been double encoded. |
consideration | |
examples |
The user sends encodes the % symbol to %25 and appends 3C. The user is sending %253C which may be interpreted by the application as %3C which is actually <. |
code |
EE2: Unexpected Encoding Used
id |
EE2 |
title |
Unexpected Encoding Used |
category |
EncodingException |
description |
An HTTP request is received which contains values that have encoded in an unexpected format. |
consideration | |
examples |
The user encodes an attack such as alert(document.cookie) into the UTF-7 format and sends this data the application. This could bypass validation filters and be rendered to a user in certain situations. Cross references:
|
code |
CommandInjectionException
CIE1: Blacklist Inspection For Common SQL Injection Values
id |
CIE1 |
title |
Blacklist Inspection For Common SQL Injection Values |
category |
CommandInjectionException |
description |
A request is received which contains common SQL injection attack attempts. The point of this detection is not to detect all variations of a SQL injection attack, but to detect the common probes which an attacker or tool might use to determine if a SQL injection vulnerability is present. Unless the site contains some sort of message board for discussing SQL injection, there is little reason that the SQL injection examples should ever be received from a user request. |
consideration | |
examples |
The user sends a request and modifies a URL parameter from category = 5 to category = 5' OR '1' = '1 in an attempt to perform an SQL injection attack. The user could perform similar attacks by modifying post variables or even the request headers to contain SQL injection attacks. ' OR '1'='1 ' OR 'a'='a ' OR 1=1-- xp_cmdshell UNION JOIN Cross references:
|
code |
CIE2: Detect Abnormal Quantity Of Returned Records
id |
CIE2 |
title |
Detect Abnormal Quantity Of Returned Records |
category |
CommandInjectionException |
description |
A database query is executed which returns more records than expected. For example, if the query should only return 1 record and 100 records are returned, then something has likely gone wrong. |
consideration | |
examples |
The application is designed to allow a user to maintain 5 profiles. A user makes a request to view all of their profiles. The database query, which is expected to always return 5 or less results, returns 10,000 records. Something in the application, or user's actions, has caused unauthorized data to be returned. |
code |
CIE3: Null Byte Character In File Request
id |
CIE3 |
title |
Null Byte Character In File Request |
category |
CommandInjectionException |
description |
A request is received to download a file from the server. The filename requested contains the null byte the file name. This is an attempted OS injection attack. |
consideration | |
examples |
The user modifies the filename of the requested file to download to contain the null byte. The null byte can be added by inserting the hex value %00. Cross references:
|
code |
CIE4: Carriage Return Or Line Feed Character In File Request
id |
CIE4 |
title |
Carriage Return Or Line Feed Character In File Request |
category |
CommandInjectionException |
description |
A request is received which contains the carriage return or line feed characters within the posted data or the URL parameters. This is an attempted HTTP split response attack. |
consideration | |
examples |
The user includes the hex value %0D or %0A in the http request post data or URL parameters. Cross references:
|
code |
FileIOException
FIO1: Detect Large Individual Files
id |
FIO1 |
title |
Detect Large Individual Files |
category |
FileIOException |
description |
A file upload feature detects that a large file has been submitted for upload which exceeds the maximum upload size |
consideration | |
examples |
The user attempts to upload a large file to occupy resources or fill up disk space |
code |
FIO2: Detect Large Number Of File Uploads
id |
FIO2 |
title |
Detect Large Number Of File Uploads |
category |
FileIOException |
description |
A user uploads an excessively large number of files. |
consideration | |
examples |
A single user attempts to upload multiple small files to occupy resources or fill up disk space |
code |
Honey Trap
TBD
Some ideas: http://blogs.sans.org/appsecstreetfighter/2009/06/04/my-top-6-honeytokens/
UserTrendException
UT1: Irregular Use Of Application
id |
UT1 |
title |
Irregular Use Of Application |
category |
UserTrendException |
description |
The application receives numerous requests for the same page or feature from a user. The user may be sending different data combinations or trying to detect errors in the page. |
consideration | |
examples |
The user requests a particular page, such as the address update page, numerous times. |
code |
UT2: Speed Of Application Use
id |
UT2 |
title |
Speed Of Application Use |
category |
UserTrendException |
description |
The speed of requests from a user indicates that an automated tool is being used to access the site. The use of a tool may indicate reconnaissance for an attack or attempts to identify vulnerabilities in the site. |
consideration | |
examples |
The user utilizes an automated tool to request hundreds of pages per minute. |
code |
UT3: Frequency Of Site Use
id |
UT3 |
title |
Frequency Of Site Use |
category |
UserTrendException |
description |
Does the user normally access the site 1 per week, and this is now many times per day |
consideration | |
examples | |
code |
UT4: Frequency Of Feature Use
id |
UT4 |
title |
Frequency Of Feature Use |
category |
UserTrendException |
description |
The rate of a user utilizing a particular application feature changes dramatically. |
consideration | |
examples | |
code |
SystemTrendException
STE1: High Number Of Logouts Across The Site
id |
STE1 |
title |
High Number Of Logouts Across The Site |
category |
SystemTrendException |
description |
A sudden spike in logouts across the application could indicate a XSS and CSRF attack placed within the application which is automatically logging off users. |
consideration | |
examples |
The hourly usage of the logoff feature of the application suddenly spikes by 500%. |
code |
STE2: High Number Of Logins Across The Site
id |
STE2 |
title |
High Number Of Logins Across The Site |
category |
SystemTrendException |
description |
A sudden spike in logins across the application could indicate users being redirected to the site from a phishing email looking to exploit a XSS vulnerability in the site. |
consideration | |
examples |
The hourly usage of the logon feature of the application suddenly spikes by 500%. |
code |
STE3: High Number Of Same Transaction Across The Site
id |
STE3 |
title |
High Number Of Same Transaction Across The Site |
category |
SystemTrendException |
description |
A sudden spike in similar activity across numerous users of the application may indicate a phishing attack or CSRF attack against the users. |
consideration | |
examples |
The hourly usage of the update email address feature of the application suddenly spikes by 500%. |
code |
Reputation
These reputation detection points could be treated either as:
- like any other detection point contributing to the count of suspicious events, or
- used to alter security logging, or the threshold levels, or associated response actions
The former could lead to a much higher false positive rate.
RP1: Suspicious or Disallowed User IP Address
id |
RP1 |
title |
Suspicious or Disallowed User IP Address |
category |
Reputation |
description |
The user is identified as using an IP address associated with a blacklist |
consideration |
Suspicious or invalid IP addresses and address ranges may be identified using a whitelist,internal blacklist, list of Tor nodes (e.g. https://torstat.xenobite.eu/), HTTP blacklist (e.g. http://www.projecthoneypot.org/httpbl.php and Dshield http://www.dshield.org) list of spammers (e.g. Spamhaus http://www.spamhaus.org/) or known botnets (e.g. http://www.shadowserver.org/wiki/). "Suspicious" may also depend upon the type of user e.g. users in the "CMS manager" role should be using an internal network IP address, public users could be from anywhere, customers should only be accessing the application from a particular geographical region, search engine robots should be from a limited range of IP addresses. Take care that "suspicious" does not contribute to greater false positives. |
examples |
Example 1: A user with an external IP address is accessing an internal application, which should not be occurring Example 2: An authenticated user is accessing the application using a known Tor node, and attack detection thresholds are made more strict Example 3: An authenticated user is accessing the application from a known trustworthy IP address, and thresholds for certain activity (e.g. input data validation errors) are relaxed slightly |
code |
RP2: Suspicious External User Behavior
id |
RP2 |
title |
Suspicious External User Behavior |
category |
Reputation |
description |
External (to the application) devices and systems (e.g. host and network IDS, file integrity monitoring, disk usage monitoring, anti-malware service, IPS, network firewall, web application firewall, web server logging, XML gateway, database firewall, SIEM) detect anomalous behavior by the user (e.g. session and/or IP address). This information can be used by the application to contribute to its knowleage about a potential attacker. In some cases, the information could be detected by the application itself (e.g. XSS pattern black listing), but may be more effectively identified by the external device, or is not known to the application normally (e.g. requests for missing resources that the web server sees, but does not pass onto the application). |
consideration |
The greater the knowledge a device or system has about the application, the greater confidence can be given to evidence of suspicious behaviour. Therefore, for example, attempted SQL injection detexcted by a web application firewall (WAF) might be given greater weight than information from a network firewall about the IP address. The power of AppSensor is its accuracy and low false positive rate, and the usage of external data should be carefully assessed to ensure it does not contribute to a higher false positive rate. |
examples |
Example 1: An IDS has detected suspicious activity by a particular IP address, and this is used to temporarily tighten the attack detection thresholds for requests from all users in the same IP address range. Example 2: An application is using the ModSecurity web application firewall with the Core Rule Set, and utilises the anomaly score data passed forward in the X-WAF-Events and X-WAF-Score HTTP headers (optional rules in modsecurity_crs_49_header_tagging.conf) to adjust the level of application logging for each user |
code |
RP3: Suspicious Client-Side Behavior
id |
RP3 |
title |
RP3 Suspicious Client-Side Behavior |
category |
Reputation |
description |
The application receives a report of client-side security policy exceptions |
consideration |
Take care this information does not contribute to greater false positives. |
examples |
Example 1: An internal corporate intranet application detects use of a non-standard workstation configuration (e.g. using JavaScript font or plugin detection see #SE6:_Change_Of_User_Agent_Mid_Session). An alert is raised for further investigation. Example 2: An online banking application receives details of suspicious client-side behaviour that would not be expected in normal application use, via a Firefox Content Security Policy violation report. The application increases logging for the user, and decreases the monetary limit at which the user's payments require manual authorisation by bank staff. |
code |
RP4: Change to Environment Threat Level
id |
RP4 |
title |
Change to Environment Threat Level |
category |
Reputation |
description |
The general threat level (e.g. general risk of attack from the Internet, or specific targetted attacks against an organisation) is elevated. This could also be used to change response sensitivity due to short-term effects such as application upgrades/patching. |
consideration |
This input could be used to alter thresholds for AppSensor responses. |
examples |
Example 1: A machine-readable threat index is read from a third-party and is used to control security logging levels. Example 2: Business circumstances (e.g. increased attention by activists) raises the suspicion the application may be at increased risk of mis-use, and response thresholds for attack detection are tightened for non-authenticated users. |
code |