RE1

Unexpected HTTP Command

RequestException

An HTTP request is received which contains unexpected/disallowed commands.

A list of accepted commands should be generated (i.e. GET and POST) and all other HTTP commands should generate an event.

Instead of a GET or POST request, the user sends a TRACE request to the application.

Cross references:

• OWASP ModSecurity Core Rule Set Project v2.0.5
  • (30) HTTP Policy Enforcement: Method Is Not Allowed by Policy (960032)

[Java] [.Net] [PHP]

RE2

Attempt to Invoke Unsupported HTTP Method

RequestException

An HTTP request is received which contains a non-existent HTTP command (does not match anything in this list: HEAD,GET,POST,PUT,DELETE,TRACE,OPTIONS,CONNECT).

Instead of a GET or POST request, the user sends a TEST request to the application (TEST is not a valid HTTP request method).

[Java] [.Net] [PHP]

RE3

GET When Expecting POST

RequestException

A page which is expecting only POST requests, is requested by HTTP method GET.

Some pages may be designed to receive both GET and POST requests.

The user sends a GET request to a page which has only been used for POSTs.

[Java] [.Net] [PHP]

RE4

POST When Expecting GET

RequestException

A page which is expecting only GET requests, receives a POST.

The user utilizes a proxy tool to build a custom POST request and sends it to a page which has been accessed by GET requests.

[Java] [.Net] [PHP]

RE5

Additional/Duplicated Data in Request

RequestException

Additional unexpected parameters or HTTP headers, or duplicates, are received with the request.

Additional parameters may be an attempt to override values or to exploit unexposed functionality. Duplicated parameters may be an indication of attempted HTTP parameter pollution.

Beware of firing this detector when additional cookies, not used by the application, are found (as opposed to duplicated cookies) since these may relate to third-party code (e.g. advertisements, analytics) or some other application.

Note that extra HTTP headers may be added by intermediate proxies, and unless the network configuration is fixed (an internal network perhaps), additional headers cannot be controlled and thus cannot be used to infer existence of a potential attacker.

Example 1: Additional form or URL parameters submitted with request (e.g. debug=1, servervariable=2000).

Example 2: A parameter is defined more than once in the URL Query String.

Example 3: An HTTP header is duplicated.

Example 4: An additional HTTP header is found.

[Java] [.Net] [PHP]

RE6

Data Missing from Request

RequestException

Expected parameters or HTTP headers are missing from the request.

Bookmarking and use of a browser's "back button" can lead to requests without the expected parameters.

Example 1: A page is requested without any of the required form paramaters.

Example 2: The HTTP-Accept header is not present in a request.

[Java] [.Net] [PHP]

AE1

Use of Multiple Usernames

AuthenticationException

Multiple usernames are attempted when logging into the application.

The assignment of login attempts to a user can be based on a sessionID given to the user when they first visit the website. Correlating based on IP address is difficult since multiple users could be using the site from the same IP address (e.g. corporate NAT).

User first tries username 'bob', then username 'sue', then 'steve', etc.

[Java] [.Net] [PHP]

AE2

Multiple Failed Passwords

AuthenticationException

For a single username, multiple bad passwords are entered.

See Popularity is Everything section 4 - Attack-Detection Scenarios for ideas about tracking use of unsuccessful passwords and looking whether these are used against multiple accounts.

User tries username:password combination of 'user:pass1', 'user:pass2', 'user:pass3', etc.

[Java] [.Net] [PHP]

AE3

High Rate of Login Attempts

AuthenticationException

The rate of login attempts becomes too high (possibly indicating an automated login attack).

The threshold should relate to a limit and period appropriate to the application (e.g. total number in a second or minute or hour).

User sends the following login attempts within 1 second - 'user1:pass1', 'user1:pass2', 'user2:pass3', 'user2:pass4'.

[Java] [.Net] [PHP]

AE4

Unexpected Quantity of Characters In Username

AuthenticationException

The user provides a username with a large number of characters.

The user sends a username that is 200 characters long when 6-8 are expected.

[Java] [.Net] [PHP]

AE5

Unexpected Quantity of Characters in Password

AuthenticationException

The user provides a password with a large number of characters.

Higher limits may be required for sites which allow users to have pass phrases.

Example 1: The user sends a password that is 200 characters long, when 5-20 are expected.

Example 2: The user sends a PIN of 30 characters.

[Java] [.Net] [PHP]

AE6

Unexpected Types of Characters in Username

AuthenticationException

The user provides a username which contains characters outwith the expected range.

Any characters below hex value 20 or above 7E are often considered illegal (decimal values of below 32 or above 126).

The user sends a username that contains ASCII non-printable characters such as the NULL byte.

[Java] [.Net] [PHP]

AE7

Unexpected Types of Characters in Password

AuthenticationException

The user provides a password containing characters outwith the expected range.

Examples include null byte, and characters which need the ALT key to be used.

The user sends a password that contains ASCII characters below 20 or above 7E.

[Java] [.Net] [PHP]

AE8

Providing Only the Username

AuthenticationException

The user submits a POST request which only contains the username variable. The password variable has been removed.

This is different from only providing the username in the login form since in that case the password variable would be present and empty.

The user utilizes a proxy tool to remove the password variable from the submitted POST request.

[Java] [.Net] [PHP]

AE9

Providing Only the Password

AuthenticationException

The user submits a POST request which only contains the password variable. The username variable has been removed.

This is different from only providing the password in the login form since in that case the username variable would be present and empty.

The user utilizes a proxy tool to remove the username variable from the submitted POST request.

[Java] [.Net] [PHP]

AE10

Additional POST Variable

AuthenticationException

Additional, unexpected POST variables are received during an authentication request.

The user utilizes a proxy tool to add the POST variable of 'admin=true' to the request.

[Java] [.Net] [PHP]

AE11

Removing POST Variables

AuthenticationException

Expected POST variables are not present within the submitted authentication request.

The user utilizes a proxy tool to remove an additional POST variable, such as 'guest=true', from the POST request.

[Java] [.Net] [PHP]

AE12

Utilization of Common Usernames

AuthenticationException

Common dictionary usernames are used to attempt to log into the application.

Log in attempted with usernames "administrator", then "admin", then "test"

[Java] [.Net] [PHP]

SE1

Modifying Existing Cookies

SessionException

A request is received containing a cookie with a modified value.

This could be determined if the cookie is modified to an illegal value.

Example 1: The user utilizes a proxy tool to change the encrypted cookie to an alternative value which does not properly decode within the application.

Example 2: The user modifies an unencrypted cookie and sets an illegal value for a particular variable.

[Java] [.Net] [PHP]

SE2

Adding New Cookies

SessionException

A request is received which contains additional cookies that are not expected by the application.

A session cookie existing when it should not (e.g. prior to authentication) is probably indicative of an attack. But cookies may also be set by third party sites which get send with the request - these may be harmless. Also consider what other applications exist on sub-domains (e.g. www.example.com, extranet.example.com and sales.example.com) which may also be setting cookies.

The user utilizes a proxy tool to add cookies to the request.

[Java] [.Net] [PHP]

SE3

Deleting Existing Cookies

SessionException

A request is received which does not contain the expected cookies.

The user may have bookmarked a page they had visited during a previous authenticated session.

The user utilizes a proxy tool to remove cookies or portions of cookies from a request.

[Java] [.Net] [PHP]

SE4

Substituting Another User's Valid Session ID or Cookie

SessionException

A request is received which contains cookie data that is clearly from another user or another session.

The user utilizes a proxy tool to substitute valid data from another user or session into the cookie. An example would be changing some sort of identification number within the cookie.

[Java] [.Net] [PHP]

SE5

Source IP Address Changes During Session

SessionException

Valid requests, containing valid session credentials, are received from multiple source IP addresses indicating a possible session hijacking attack.

A full IP address may not be constant for some users during normal use. Enforcing single fixed IP addresses for each session in an intranet application may be valid. However, if the application is accessible over public networks, changing IP address cannot be excluded and it may be more useful to consider fixing just part of the IP address, or looking for more significant changes such as when the user's IP address changes from US to Europe (see Autonomous System Number (ASN)). Note: source port number should not be used in checks since this usually changes very frequently.

User A's session is compromised and User B begins using the account. The requests originating from User B will possibly contain a different source IP address the User A. The source IP addresses could be the same if both users where behind the same NAT.

[Java] [.Net] [PHP]

SE6

Change of User Agent Mid Session

SessionException

The User-Agent value of the header changes during a session. This indicates a different browser is now being used. Although this value is under the control of the sender, a change in this may indicates that the session has been compromised and is being used another individual. This will likely not be the case that the user has simply copied and pasted the URL from one browser to another on the same system because this action would not copy over the appropriate session identifiers.

Optionally also include other HTTP headers in this check. For example, the Accept-Encoding and Accept-Language headers do not normally change and could be concatenated with the User-Agent and hashed to created an identifier.

The ideas described in Panopticlick and Javascript Browser Fingerprinting can also be used to fingerprint a particular client system but require the use of client-side code. Application owners should check the legality of collecting data, and whether it is considered "personal data" which may have additional constraints in some jurisdictions.

Midsession, the UserAgent changes from Firefox to Internet Explorer.

[Java] [.Net] [PHP]

ACE1

Modifying URL Argument Within a GET for Direct Object Access Attempts

AccessControlException

The application is designed to use an identifier for a particular object, such as using categoryID=4 or user=guest within the URL. A user modifies this value in an attempt to access unauthorized information. This exception should be thrown anytime the identifier received from the user is not authorized due to the identifier being nonexistent or the identifier not authorized for that user.

The user modifies the following URL from

example.com/viewpage?page=1&user=guest

to

example.com/viewpage?page=22&user=admin

[Java] [.Net] [PHP]

ACE2

Modifying Parameter Within A POST for Direct Object Access Attempts

AccessControlException

The value of a non-free text html form element (i.e. drop down box, radio button) is modified to an illegal value. The value either does not exist or is not authorized for the user.

The user utilizes a proxy tool to intercept a POST request and changes the submitted value to a value that was not available through the normal display. For example, the user encounters a dropdown box containing the numbers 1 through 10. The user selects 5 and then intercepts the request to change the submitted value to 100.

[Java] [.Net] [PHP]

ACE3

Force Browsing Attempt

AccessControlException

An authenticated or unauthenticated user sends a request for a non-existent resource (e.g. page, directory listing, image, file, etc), or a resource that is not authorized for that user.

Example 1: The user is authenticated and requests site.com/PageThatDoesNotExist

Example 2: The user is authenticated and requests a video they are not authorized to download/view

Example 3: An unauthenticated user (perhaps with a session ID) requests a listing of a directory detailed in the site's robots.txt file

[Java] [.Net] [PHP]

ACE4

Evading Presentation Access Control Through Custom POST

AccessControlException

A POST request is received which is not authorized for the current user and the user could not have performed this action without crafting a custom POST request.

This situation is most likely to occur when presentation layer access controls are in place and have removed the user's ability to initiate the action through the presentation of the application. An attacker may be aware of the functionality and attempt to bypass this presentation layer access control by crafting their own custom message and sending this in an attempt to execute the functionality.

The application contains the ability for an administrator to delete a user. This method is normally invoked by entering the username and submitting to https://oursite/deleteuser Presentation layer access controls ensure the delete user form is not displayed to non-administrator users. A malicious user has access to a non-administrator account and is aware of the delete user functionality. The malicious user sends a custom crafted POST message to https://oursite/deleteuser in an attempt to execute the delete user method.

[Java] [.Net] [PHP]

IE1

Cross Site Scripting Attempt

InputException

The HTTP request contains common XSS attacks which are often used by attackers probing for XSS vulnerabilities.

Detection should be configured to test all GET and POST values as well as all header names and values for the following values.

The user utilizes a proxy tool to add an XSS attack to the header value and the 'displayname' POST variable. The header value could be displayed to an admin viewing log files and the 'displayname' POST variable may be stored in the application and displayed to other users. Note, the following XSS attacks would only be used by an attacker to probe for vulnerability. An actual XSS attack would be customized by the attacker.

<script>alert(document.cookie);</script> <script>alert();</script> alert(String.fromCharCode(88,83,83)) <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;)> <BODY ONLOAD=alert('XSS')>

Cross references:

• OWASP ModSecurity Core Rule Set Project v2.0.5
  • (41) XSS Attacks: Cross-site Scripting (XSS) Attack (67 Rules)
  • (41) XSS Attacks: Cross-site Scripting (XSS) Attack [Paranoid Mode] (Additional 67 Rules)

[Java] [.Net] [PHP]

IE2

Violation Of Implemented White Lists

InputException

The application receives user-supplied data that violates an established white list validation.

See AC3 (Force Browsing Attempts) about requests for non-existent/unauthorised (i.e. not white listed) URLs.

The user submits data that is not correct for the particular field. This may not be attack data necessarily, but repeated violations could be an attempt by the attacker to determine how an application works or to discover a flaw.

[Java] [.Net] [PHP]

IE3

Violation Of Implemented Black Lists

InputException

The application receives user-supplied data that violates an established black list validation.

The application receives user-supplied data that violates an established black list validation. This may not be attack data necessarily, but repeated violations could be an attempt by the attacker to determine how an application works or to discover a flaw or to exploit a flaw. This black list approach suffers from the potential for greater false positives than IE2 above, and cannot be used to identify all potential malicious data.

Example 1: URL in comment field identified as suspected phishing and malware pages using Google Safe Browsing API)

Example 2: Parameter value matches a known SQL injection pattern.

Example 3: Parameter value matches a known XSS pattern.

[Java] [.Net] [PHP]

IE4

Violations Of Implemented Black Lists

InputException

The application receives HTTP header or body parameter values which have been tampered with when no change should have occurred.

Example 1: Hidden form field modified by client.

Example 2: Select list value submitted in response, not sent by server as an available option value.

Example 3: Cookie set by server has been manipulated by the client.

Example 4: Cookie created by client instead of by the server.

[Java] [.Net] [PHP]

IE5

Violation of Stored Business Data Integrity

InputException

User's input leads to violation of data integrity.

Example 1: A user's action leads to a system integrity error when writing to, or updating, a database.

Example 2: Business rule checks detect that a user's action is not compatible.

Example 3: Data accuracy checking detects duplicate records for a user.

[Java] [.Net] [PHP]

IE6

Violation of Security Log Integrity

InputException

Security or audit log tampering detected.

AppSensor may rely on the accuracy of "log" data to make decisions when thresholds are reached. This detector aims to detect the insertion of forged entries, corruption of logs, unauthorised deletion of and changes to records.

See also:

• NIST SP 800-92 Guide to Security Log Management
• Tamper Detection in Audit Logs
• Forensic Tamper Detection in SQL Server

Example 1: Special characters embedded in logged data about a user's activity cause the data to overwrite a previous log entry.

Example 2: Log file integrity is broken by modification to an existing log entry.

[Java] [.Net] [PHP]

EE1

Double Encoded Characters

EncodingException

An HTTP request is received which contains one or more double encoded values.

The user sends encodes the % symbol to %25 and appends 3C. The user is sending %253C which may be interpreted by the application as %3C which is actually <.

[Java] [.Net] [PHP]

EE2

Unexpected Encoding Used

EncodingException

An HTTP request is received which contains values that have encoded in an unexpected format.

The user encodes an attack such as alert(document.cookie) into the UTF-7 format and sends this data the application. This could bypass validation filters and be rendered to a user in certain situations.

Cross references:

• OWASP ModSecurity Core Rule Set Project v2.0.5
  • (20) Protocol Violations: UTF8 Encoding Abuse Attack Attempt (950801)
  • (30) HTTP Policy Enforcement: Request Content Type Is Not Allowed by Policy (960010)

[Java] [.Net] [PHP]

CIE1

Blacklist Inspection for Common SQL Injection Values

CommandInjectionException

A request is received which contains common SQL injection attack attempts.

The point of this detection is not to detect all variations of a SQL injection attack, but to detect the common probes which an attacker or tool might use to determine if a SQL injection vulnerability is present. Unless the site contains some sort of message board for discussing SQL injection, there is little reason that the SQL injection examples should ever be received from a user request.

The user sends a request and modifies a URL parameter from category = 5 to category = 5' OR '1' = '1 in an attempt to perform an SQL injection attack. The user could perform similar attacks by modifying POST variables or even the request headers to contain SQL injection attacks. ' OR '1'='1 ' OR 'a'='a ' OR 1=1-- xp_cmdshell UNION JOIN

Cross references:

• OWASP ModSecurity Core Rule Set Project v2.0.5
  • (41) SQL Injection Attacks: Blind SQL Injection Attack (60 Rules)
  • (41) SQL Injection Attacks: SQL Injection Attack (68 Rules)

[Java] [.Net] [PHP]

CIE2

Detect Abnormal Quantity of Returned Records

CommandInjectionException

A database query is executed which returns more records than expected.

Example 1: A query of a non-SQL dataset should only return 1 record but 100 records are returned.

Example 2: The application is designed to allow a user to maintain 5 profiles. A user makes a request to view all of their profiles. The database SQL query, which is expected to always return 5 or less results, returns 10,000 records. Something in the application, or user's actions, has caused unauthorized data to be returned.

Example 3: Extraction of data from an XML file should only return one matching node, but more than one is returned.

[Java] [.Net] [PHP]

CIE3

Null Byte Character in File Request

CommandInjectionException

A request is received to download a file from the server. The filename requested contains the null byte the file name. This is an attempted OS injection attack.

The user modifies the filename of the requested file to download to contain the null byte. The null byte can be added by inserting the hex value %00.

Cross references:

• OWASP ModSecurity Core Rule Set Project v2.0.5
  • (20) Protocol Violations: Invalid Character in Request (960018)
  • (20) Protocol Violations: Invalid Character in Request [Paranoid Mode] (960901)

[Java] [.Net] [PHP]

CIE4

Carriage Return or Line Feed Character in File Request

CommandInjectionException

A request is received which contains the carriage return or line feed characters within the POST data or the URL parameters. This is an attempted HTTP split response attack.

The user includes the hex value %0D or %0A in the HTTP request POST data or URL parameters.

Cross references:

• OWASP ModSecurity Core Rule Set Project v2.0.5
  • (40) OS Command Injection Attacks: PHP Injection Attack (32 Rules)

[Java] [.Net] [PHP]

FIO1

Detect Large Individual File

FileIOException

A file upload feature detects that a large file has been submitted for upload which exceeds the maximum upload size.

The user attempts to upload a large file to occupy resources or fill up disk space.

[Java] [.Net] [PHP]

FIO2

Detect Large Number of File Uploads

FileIOException

A user uploads an excessively large number of files.

The limit and period used to determine the threshold rate is application dependent, and may also depend on the user's role.

A single user attempts to upload multiple small files to occupy resources or fill up disk space.

[Java] [.Net] [PHP]

HT1

Alteration to Honey Trap Data

HoneyTrap

Fake (not otherwise needed by the application) data sent to the user and returned (e.g. as form, URL, cookie values or in the path or HTTP header) is modified. This is usually combined with making the name or value a tempting item for an attacker to try modifying.

Similar techniques can also be used for the creation of accessible CAPTCHA.

See also ideas at http://blogs.sans.org/appsecstreetfighter/2009/06/04/my-top-6-honeytokens/

Example 1: Otherwise useless hidden fields, which look like potential vulnerabilities, added to some forms are sent back to the server modified (e.g. <input type="hidden" name="admin" value="false" />).

Example 2: An additional URL parameter, which is not used by the application, is modified by the user (e.g. www.example.com/account.jsp?debug=0).

Example 3: An additional fake cookie is added and is modified by the user.

Example 4: URL rewriting is used and a fake directory name is added; this is modified by the user (e.g. www.example.com/orders/normaluser/display.php).

[Java] [.Net] [PHP]

HT2

Honey Trap Resource Requested

HoneyTrap

A purposely leaked resource that has no use in normal application use is requested by a user.

Ensure the resource is not linked from normal application content such that a spider or robot might find the resource in any case.

Example 1: Page, directory or other resource listed in the application's robots.txt robots exclusion file is requested by the user.

Example 2: URL identified only in HTML comments is requested by the user.

Example 3: Unexposed server function call included in Flash file source code is requested by the user.

[Java] [.Net] [PHP]

HT3

Honey Trap Data Used

HoneyTrap

Special data sent or accessed by a user.

For honey trap data that is detected on egress only, use of outbound content monitoring (e.g. a web appication firewall or similar technique) may be helpful.

Example 1: Fake user name and password only visible in source HTML code used to attempt to log in to the application (e.g. in HTML comments, in server-side code 'accidentally' delivered to the user).

Example 2: A special code number or account name is left in a discussion forum site; this is then used in the application.

Example 3: An attempt is made to authenticate with the user name listed in the first row (e.g. ID=1) of the application's database table of Users.

Example 4: Data from a fake account record is sent by the server and detected; this record should not normally be accessible by anyone using the application.

[Java] [.Net] [PHP]

UT1

Irregular Use of Application

UserTrendException

The application receives numerous requests for the same page or feature from a user. The user may be sending different data combinations or trying to detect errors in the page.

Example 1: The user requests a particular page, such as the address update page, numerous times.

Example 2: The user requests a page out-of-sequence, such as an intermediate step in a multi-stage form.

[Java] [.Net] [PHP]

UT2

Speed of Application Use