OWASP AppSensor Project/Preventing Automated Attacks

=Introduction= Preventing Automated Attacks - This project will be a study of current techniques to thwart automated attacks against application. Within this project we will identify and evaluate various automated attacks that face applications and the current defensive practices to mitigate these risks. The deliverable will be well documented knowledge and best practices.

= Formatting = The format of this page will evolve as the material and structure takes form.

= Mailing List Discussion = This project is discussed within the AppSensor project mailing list

= Technical Notes & Preliminary Research =

Techniques & Resources to evaluate

 * Hashcash - http://en.wikipedia.org/wiki/Hashcash
 * https://www.owasp.org/index.php/Business_Logic_Security_Cheat_Sheet
 * https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
 * http://projects.webappsec.org/w/page/13246938/Insufficient%20Anti-automation

Defenses
Goals
 * Identify available and theoretical defenses for automated attacks
 * Capture the costs of each approach - user experience, implementation costs, ongoing maintenance etc
 * Capture the efficacy of each approach
 * Capture attacks on defensive System

CAPTCHA
Most often implemented as a visual test that should be easy to be solved by a human but difficult to solve by a bot. reCaptcha is one popular captcha.


 * Costs
 * User Experience
 * "Analysis of the resulting data reveals that captchas are often difficult for humans, with audio captchas being particularly problematic." - Stanford Study "How Good are Humans at Solving CAPTCHAs? A Large Scale Evaluation"
 * Implementation Costs
 * Ongoing Maintenance


 * Efficacy
 * "Turns out that this new algorithm can also be used to read CAPTCHA puzzles—we found that it can decipher the hardest distorted text puzzles from reCAPTCHA with over 99% accuracy. This shows that the act of typing in the answer to a distorted image should not be the only factor when it comes to determining a human versus a machine." source
 * Study by google http://arxiv.org/abs/1312.6082
 * Attacks on Defensive System
 * http://news.bbc.co.uk/2/hi/technology/7067962.stm
 * http://www.cs.sfu.ca/%7Emori/research/gimpy/
 * http://alwaysmovefast.com/2007/11/21/cracking-captchas-for-fun-and-profit/
 * http://caca.zoy.org/wiki/PWNtcha


 * Other OWASP resources on CAPTCHAs
 * Testing_for_Captcha_(OWASP-AT-008)
 * Testing_for_Captcha_(OWASP-AT-012)

Device Fingerprinting

 * Information about the approach
 * Wikipedia http://en.wikipedia.org/wiki/Device_fingerprint
 * Costs
 * User Experience
 * Implementation Costs
 * Ongoing Maintenance


 * Efficacy


 * Attacks on Defensive System

IP Blocking

 * Costs
 * User Experience
 * Implementation Costs
 * Ongoing Maintenance


 * Efficacy


 * Attacks on Defensive System

Action Thresholds

 * Costs
 * User Experience
 * Implementation Costs
 * Ongoing Maintenance


 * Efficacy


 * Attacks on Defensive System

Human Log Analysis
The most primitive approach to handling automated attackers is to review logs of activity and undo any malicious actions performed.


 * Costs
 * User Experience - None
 * Implementation Costs - Robust logging system must be in place. Standard logging capabilities provided by the application server would provide minimal information. Consider adding detailed application logging that captures actions taken by the user within the application.
 * Ongoing Maintenance -


 * Efficacy -


 * Attacks on Defensive System

News Stories

 * http://www.zdnet.com/github-hardens-defenses-in-wake-of-password-attack-7000023528/
 * http://www.dailydot.com/news/time-person-of-the-year-miley-cyrus-rigged/