This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10 2017-A7-Insufficient Attack Protection"

From OWASP
Jump to: navigation, search
(Top 10 2017 RC1: A7 Insufficient Attack Protection)
(Set parameters in Top_10:SummaryTableTemplate)
Line 15: Line 15:
  
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}}
 
{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2017|language=en}}
  {{Top_10:SummaryTableTemplate|exploitability=2|prevalence=3|detectability=1|impact=2|year=2017|language=en}}
+
  {{Top_10:SummaryTableTemplate|exploitability=1|prevalence=2|detectability=2|impact=2|year=2017|language=en}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
 
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2017}}
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>
 
     <td {{Template:Top 10 2010:SummaryTableRowStyleTemplate|year=2017}}>

Revision as of 21:08, 22 April 2017

← A6-Security Misconfiguration
2017 Table of Contents

PDF version

A8-Insecure Deserialization →
Threat Agents / Attack Vectors Security Weakness Impacts
App Specific Exploitability
EASY		 Prevalence
COMMON		 Detectability
AVERAGE		 Impact
MODERATE		 Business ?

Consider anyone with network access can send your application a request. Does your application detect and respond to both manual and automated attacks?

Attackers, known users or anonymous, send in attacks. Does the application or API detect the attack? How does it respond? Can it thwart attacks against known vulnerabilities?

Applications and APIs are attacked all the time. Most applications and APIs detect invalid input, but simply reject it, letting the attacker attack again and again. Such attacks indicate a malicious or compromised user probing or exploiting vulnerabilities. Detecting and blocking both manual and automated attacks, is one of the most effective ways to increase security. How quickly can you patch a critical vulnerability you just discovered?

Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to 100%. Not quickly deploying patches aids attackers.

Consider the impact of insufficient attack protection on the business. Successful attacks may not be prevented, go undiscovered for long periods of time, and expand far beyond their initial footprint.

Am I Vulnerable To 'Cross-Site Scripting (XSS)'?

Detecting, responding to, and blocking attacks makes applications dramatically harder to exploit yet almost no applications or APIs have such protection. Critical vulnerabilities in both custom code and components are also discovered all the time, yet organizations frequently take weeks or even months to roll out new defenses.

It should be very obvious if attack detection and response isn’t in place. Simply try manual attacks or run a scanner against the application. The application or API should identify the attacks, block any viable attacks, and provide details on the attacker and characteristics of the attack. If you can’t quickly roll out virtual and/or actual patches when a critical vulnerability is discovered, you are left exposed to attack.

Be sure to understand what types of attacks are covered by attack protection. Is it only XSS and SQL Injection? You can use technologies like WAFs, RASP, and OWASP AppSensor to detect or block attacks, and/or virtually patch vulnerabilities.

How Do I Prevent 'Cross-Site Scripting (XSS)'?

There are three primary goals for sufficient attack protection:

  1. Detect Attacks: Did something occur that is impossible for legitimate users to cause (e.g., an input a legitimate client can’t generate)? Is the application being used in a way that an ordinary user would never do (e.g., tempo too high, atypical input, unusual usage patterns, repeated requests)?
  2. Respond to Attacks: Logs and notifications are critical to timely response. Decide whether to automatically block requests, IP addresses, or IP ranges. Consider disabling or monitoring misbehaving user accounts.
  3. Patch Quickly: If your dev process can’t push out critical patches in a day, deploy a virtual patch that analyzes HTTP traffic, data flow, and/or code execution and prevents vulnerabilities from being exploited.
Example Attack Scenarios

Scenario #1: Attacker uses automated tool like OWASP ZAP or SQLMap to detect vulnerabilities and possibly exploit them. Attack detection should recognize the application is being targeted with unusual requests and high volume. Automated scans should be easy to distinguish from normal traffic.

Scenario #2: A skilled human attacker carefully probes for potential vulnerabilities, eventually finding an obscure flaw.

While more difficult to detect, this attack still involves requests that a normal user would never send, such as input not allowed by the UI. Tracking this attacker may require building a case over time that demonstrates malicious intent.

Scenario #3: Attacker starts exploiting a vulnerability in your application that your current attack protection fails to block.

How quickly can you deploy a real or virtual patch to block continued exploitation of this vulnerability?

References

OWASP

External

← A6-Security Misconfiguration
2017 Table of Contents

PDF version

A8-Insecure Deserialization →
© 2002-2017 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
Retrieved from "https://wiki.owasp.org/index.php?title=Top_10_2017-A7-Insufficient_Attack_Protection&oldid=229001"