Top 10 2017-A7-Insufficient Attack Protection

 Consider anyone with network access can send your application a request. Does your application detect and respond to both manual and automated attacks?  Attackers, known users or anonymous, send in attacks. Does the application or API detect the attack? How does it respond? Can it thwart attacks against known vulnerabilities?  Applications and APIs are attacked all the time. Most applications and APIs detect invalid input, but simply reject it, letting the attacker attack again and again. Such attacks indicate a malicious or compromised user probing or exploiting vulnerabilities. Detecting and blocking both manual and automated attacks, is one of the most effective ways to increase security. How quickly can you patch a critical vulnerability you just discovered?  Most successful attacks start with vulnerability probing. Allowing such probes to continue can raise the likelihood of successful exploit to 100%. Not quickly deploying patches aids attackers.  Consider the impact of insufficient attack protection on the business. Successful attacks may not be prevented, go undiscovered for long periods of time, and expand far beyond their initial footprint.

Detecting, responding to, and blocking attacks makes applications dramatically harder to exploit yet almost no applications or APIs have such protection. Critical vulnerabilities in both custom code and components are also discovered all the time, yet organizations frequently take weeks or even months to roll out new defenses.

It should be very obvious if attack detection and response isn’t in place. Simply try manual attacks or run a scanner against the application. The application or API should identify the attacks, block any viable attacks, and provide details on the attacker and characteristics of the attack. If you can’t quickly roll out virtual and/or actual patches when a critical vulnerability is discovered, you are left exposed to attack.

Be sure to understand what types of attacks are covered by attack protection. Is it only XSS and SQL Injection? You can use technologies like WAFs, RASP, and OWASP AppSensor to detect or block attacks, and/or virtually patch vulnerabilities.

There are three primary goals for sufficient attack protection:
 * 1) Detect Attacks: Did something occur that is impossible for legitimate users to cause (e.g., an input a legitimate client can’t generate)? Is the application being used in a way that an ordinary user would never do (e.g., tempo too high, atypical input, unusual usage patterns, repeated requests)?
 * 2) Respond to Attacks: Logs and notifications are critical to timely response. Decide whether to automatically block requests, IP addresses, or IP ranges. Consider disabling or monitoring misbehaving user accounts.
 * 3) Patch Quickly: If your dev process can’t push out critical patches in a day, deploy a virtual patch that analyzes HTTP traffic, data flow, and/or code execution and prevents vulnerabilities from being exploited.

Scenario #1: Attacker uses automated tool like OWASP ZAP or SQLMap to detect vulnerabilities and possibly exploit them. Attack detection should recognize the application is being targeted with unusual requests and high volume. Automated scans should be easy to distinguish from normal traffic.

Scenario #2: A skilled human attacker carefully probes for potential vulnerabilities, eventually finding an obscure flaw.

While more difficult to detect, this attack still involves requests that a normal user would never send, such as input not allowed by the UI. Tracking this attacker may require building a case over time that demonstrates malicious intent.

Scenario #3: Attacker starts exploiting a vulnerability in your application that your current attack protection fails to block.

How quickly can you deploy a real or virtual patch to block continued exploitation of this vulnerability?


 * OWASP Article on Intrusion Detection
 * OWASP AppSensor
 * OWASP Automated Threats Project
 * OWASP Credential Stuffing Cheat Sheet
 * OWASP Virtual Patching Cheat Sheet
 * OWASP Mod Security Core Ruleset


 * WASC Article on Insufficient Anti-automation
 * CWE Entry 778 - Insufficient Logging
 * CWE Entry 799 - Improper Control of Interaction Frequency