Category:OWASP AppSensor Project

{{ProjectTabs | Proj_About= {{:Project Information:template AppSensor Project}}



Proj_Documentation=

AppSensor Overview
If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change!

As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.

In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application

Is this hard?
No, simple checks are used to detect malicious activity. A security exception is then thrown and the AppSensor/ESAPI framework takes care of the rest.

Get AppSensor
Download the AppSensor book for free at lulu.com

Order a printed version for under $10 lulu.com



Proj_Contributors=



Proj_Mail= Next Presentation: OWASP AppSec DC - Thursday, November 12, 2009

Demo: The AppSensor project will soon be releasing a working demo. This web application will include a working example of the AppSensor detection points integrated with ESAPI. Stay tuned for more.

Project Roadmap
July, 2010 - Active ESAPI Integration Underway!

November, 2009 OWASP DC, November 2009

Current: v1.2 in the works, demo application in development

May, 2009 - AppSec EU Poland - Presentation (PPT) (Video)

January, 2009 - v1.1 Released - Beta Status

November, 2008 - AppSensor Talk at OWASP Portugal

November, 2008 - v1.0 Released - Beta Status

April 16, 2008 - Project Begins

Detection Points
Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

Full info found Here 

Legend:

RE - Request

AE - Authentication

SE - Session

ACE - Acess Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

UT - User Trend

STE - System Trend

Signature Based Events

ID Event

RE1 Unexpected HTTP Commands

RE2 Attempts To Invoke Unsupported HTTP Methods

RE3 GET When Expecting POST

RE4 POST When Expecting GET

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate Of Login Attempts

AE4 Unexpected Quantity Of Characters In Username

AE5 Unexpected Quantity Of Characters In Password

AE6 Unexpected Types Of Characters In Username

AE7 Unexpected Types Of Characters In Password

AE8 Providing Only The Username

AE9 Providing Only The Password

AE10 Adding Additional POST Variables

AE11 Removing POST Variables

SE1 Modifying Existing Cookies

SE2 Adding New Cookies

SE3 Deleting Existing Cookies

SE4 Substituting Another User's Valid Session ID Or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Arguments Within A GET For Direct Object Access Attempts

ACE2 Modifying Parameters Within A POST For Direct Object Access Attempts

ACE3 Force Browsing Attempts

ACE4 Evading Presentation Access Control Through Custom Posts

IE1 Cross Site Scripting Attempt

IE2 Violations Of Implemented White Lists

EE1 Double Encoded Characters

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection For Common SQL Injection Values

CIE2 Detect Abnormal Quantity Of Returned Records.

CIE3 Null Byte Character In File Request

CIE4 Carriage Return Or Line Feed Character In File Request

FIO1 Detect Large Individual Files

FIO2 Detect Large Number Of File Uploads

Behavior Based Events

UT1 Irregular Use Of Application

UT2 Speed Of Application Use

UT3 Frequency Of Site Use

UT4 Frequency Of Feature Use

STE1 High Number Of Logouts Across The Site

STE2 High Number Of Logins Across The Site

STE3 High Number Of Same Transaction Across The Site

Media
November, 2009 - AppSec DC - Defend Yourself: Integrating Real Time Defenses into Online Applications

May, 2009 - OWASP Podcast #51

May, 2009 - AppSec EU Poland - Real Time Defenses against Application Worms and Malicious Attackers

November, 2008 - OWASP Summit Portugal 2008 PPT

Video Demos of AppSensor

Detecting Multiple Attacks & Logging Out Attacker

Detecting XSS Probes

Detecting URL Tampering

Detecting Verb Tampering

}}