This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP AppSensor Project/Preventing Automated Attacks
Introduction
Preventing Automated Attacks - This project will be a study of current techniques to thwart automated attacks against application. Within this project we will identify and evaluate various automated attacks that face applications and the current defensive practices to mitigate these risks. The deliverable will be well documented knowledge and best practices.
Formatting
The format of this page will evolve as the material and structure takes form.
Mailing List Discussion
This project is discussed within the AppSensor project mailing list
Technical Notes & Preliminary Research
Techniques & Resources to evaluate
- Hashcash - http://en.wikipedia.org/wiki/Hashcash
- https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet
- https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
- http://projects.webappsec.org/w/page/13246938/Insufficient%20Anti-automation
Defenses
Goals
- Identify available and theoretical defenses for automated attacks
- Capture the costs of each approach - user experience, implementation costs, ongoing maintenance etc
- Capture the efficacy of each approach
- Capture attacks on defensive System
CAPTCHA
Most often implemented as a visual test that should be easy to be solved by a human but difficult to solve by a bot. reCaptcha is one popular captcha.
- Costs
- User Experience
- Implementation Costs
- Ongoing Maintenance
- Efficacy
- Attacks on Defensive System
Fingerprinting / IP Reputation
- Costs
- User Experience
- Implementation Costs
- Ongoing Maintenance
- Efficacy
- Attacks on Defensive System
IP Blocking
- Costs
- User Experience
- Implementation Costs
- Ongoing Maintenance
- Efficacy
- Attacks on Defensive System
Action Thresholds
- Costs
- User Experience
- Implementation Costs
- Ongoing Maintenance
- Efficacy
- Attacks on Defensive System
Human Log Analysis
The most primitive approach to handling automated attackers is to review logs of activity and undo any malicious actions performed.
- Costs
- User Experience - None
- Implementation Costs - Robust logging system must be in place. Standard logging capabilities provided by the application server would provide minimal information. Consider adding detailed application logging that captures actions taken by the user within the application.
- Ongoing Maintenance -
- Efficacy -
- Attacks on Defensive System