This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP AppSensor Project/Preventing Automated Attacks"

From OWASP
Jump to: navigation, search
(CAPTCHA)
(Fingerprinting / IP Reputation)
Line 46: Line 46:
 
** [[Testing_for_Captcha_(OWASP-AT-012)]]
 
** [[Testing_for_Captcha_(OWASP-AT-012)]]
  
=== Fingerprinting / IP Reputation ===
+
=== Device Fingerprinting ===
 +
* Information about the approach
 +
** Wikipedia http://en.wikipedia.org/wiki/Device_fingerprint
 
* Costs
 
* Costs
 
** User Experience
 
** User Experience
Line 57: Line 59:
 
* Attacks on Defensive System
 
* Attacks on Defensive System
 
**
 
**
 +
 +
=== IP Reputation ===
  
 
=== IP Blocking ===
 
=== IP Blocking ===

Revision as of 16:42, 17 April 2014

Introduction

Preventing Automated Attacks - This project will be a study of current techniques to thwart automated attacks against application. Within this project we will identify and evaluate various automated attacks that face applications and the current defensive practices to mitigate these risks. The deliverable will be well documented knowledge and best practices.

Formatting

The format of this page will evolve as the material and structure takes form.

Mailing List Discussion

This project is discussed within the AppSensor project mailing list


Technical Notes & Preliminary Research

Techniques & Resources to evaluate

Defenses

Goals

  • Identify available and theoretical defenses for automated attacks
  • Capture the costs of each approach - user experience, implementation costs, ongoing maintenance etc
  • Capture the efficacy of each approach
  • Capture attacks on defensive System


CAPTCHA

Most often implemented as a visual test that should be easy to be solved by a human but difficult to solve by a bot. reCaptcha is one popular captcha.

Device Fingerprinting

  • Efficacy
  • Attacks on Defensive System

IP Reputation

IP Blocking

  • Costs
    • User Experience
    • Implementation Costs
    • Ongoing Maintenance
  • Efficacy
  • Attacks on Defensive System

Action Thresholds

  • Costs
    • User Experience
    • Implementation Costs
    • Ongoing Maintenance
  • Efficacy
  • Attacks on Defensive System

Human Log Analysis

The most primitive approach to handling automated attackers is to review logs of activity and undo any malicious actions performed.

  • Costs
    • User Experience - None
    • Implementation Costs - Robust logging system must be in place. Standard logging capabilities provided by the application server would provide minimal information. Consider adding detailed application logging that captures actions taken by the user within the application.
    • Ongoing Maintenance -
  • Efficacy -
  • Attacks on Defensive System

News Stories