Introduction

Preventing Automated Attacks - This project will be a study of current techniques to thwart automated attacks against application. Within this project we will identify and evaluate various automated attacks that face applications and the current defensive practices to mitigate these risks. The deliverable will be well documented knowledge and best practices.

Formatting

The format of this page will evolve as the material and structure takes form.

Mailing List Discussion

This project is discussed within the AppSensor project mailing list

Technical Notes & Preliminary Research

Techniques & Resources to evaluate

• Hashcash - http://en.wikipedia.org/wiki/Hashcash
• https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet
• https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
• http://projects.webappsec.org/w/page/13246938/Insufficient%20Anti-automation

Defenses

CAPTCHA

• Weaknesses of Approach / Attacks on Defensive System
  • http://news.bbc.co.uk/2/hi/technology/7067962.stm
  • http://www.cs.sfu.ca/%7Emori/research/gimpy/
  • http://alwaysmovefast.com/2007/11/21/cracking-captchas-for-fun-and-profit/
  • http://caca.zoy.org/wiki/PWNtcha

Fingerprinting / IP Reputation

IP Blocking

Action Thresholds

News Stories

• http://www.zdnet.com/github-hardens-defenses-in-wake-of-password-attack-7000023528/
• http://www.dailydot.com/news/time-person-of-the-year-miley-cyrus-rigged/