Difference between revisions of "AppSensor DetectionPoints"

From OWASP
Jump to: navigation, search
(RE4: POST When Expecting GET: RE5 and RE6 added)
(ACE3: Force Browsing Attempts: Description altered to make it more generic i.e. not just pages and not just authenticated users; examples expaned)
Line 955: Line 955:
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >description</td>
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >description</td>
 
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
An authenticated user sends a request for a non-existent page or a page that is not authorized for the user.
+
An authenticated or unauthenticated user sends a request for a non-existent resource (e.g. page, directory listing, image, file, etc), or a resource that is not authorized for that user.
 
</td></tr>
 
</td></tr>
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >consideration</td>
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >consideration</td>
Line 963: Line 963:
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >examples</td>
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >examples</td>
 
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
 
<td style="background-color:#F2F2F2;table-layout:fixed;width:700px;" >
The user is authenticated and requests site.com/PageThatDoesNotExist
+
Example 1: The user is authenticated and requests site.com/PageThatDoesNotExist
 +
 
 +
Example 2: The user is authenticated and requests a video they are not authorized to download/view
 +
 
 +
Example 3: An unauthenticated user (perhaps with a session ID) requests a listing of a directory detailed in the site's robots.txt file
 
</td></tr>
 
</td></tr>
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >code</td>
 
<tr><td style="border-style:solid;border-width:1px;background-color:#CCCCCC;text-transform:uppercase " >code</td>

Revision as of 10:58, 30 June 2010

Contents

About This Document

These detection points are part of the OWASP AppSensor project which advocates bringing intelligent intrusion detection inside the application. These detection points can be used to identify a malicious user that is probing for vulnerabilities or weaknesses within your application.

Read more about why application logging is the way to go.

RequestException

RE1: Unexpected HTTP Commands

id

RE1

title

Unexpected HTTP Commands

category

RequestException

description

An HTTP request is received which contains unexpected commands. A list of accepted commands should be generated (i.e. GET and POST) and all other HTTP commands should generate an event.

consideration
examples

Instead of a GET or POST request, the user sends a TRACE request to the application.

Cross references:

code

[Java] [.Net] [PHP]

RE2: Attempts To Invoke Unsupported HTTP Methods

id

RE2

title

Attempts To Invoke Unsupported HTTP Methods

category

RequestException

description

An http request is received which contains a non-existent HTTP command (does not match anything in this list: HEAD,GET,POST,PUT,DELETE,TRACE,OPTIONS,CONNECT)

consideration
examples

Instead of a GET or POST request, the user sends a TEST request to the application (TEST is not a valid http request)

code

[Java] [.Net] [PHP]

RE3: GET When Expecting POST

id

RE3

title

GET When Expecting POST

category

RequestException

description

A page which is expecting only POST requests, receives a GET.

consideration
examples

The user sends a GET request to a page which has only been used for POSTs

code

[Java] [.Net] [PHP]

RE4: POST When Expecting GET

id

RE4

title

POST When Expecting GET

category

RequestException

description

A page which is expecting only GET requests, receives a POST

consideration
examples

The user uses a proxy tool to build a custom POST request and sends it to a page which has been accessed by GET requests.

code

[Java] [.Net] [PHP]

RE5: Additional/Duplicated Data in Request

id

RE5

title

Additional/Duplicated Data in Request

category

RequestException

description

Additional unexpected parameters or HTTP headers, or duplicates, are received with the request.

consideration

Additional parameters may be an attempt to override values or to exploit unexposed functionality. Duplicated parameters may be an indication of attempted HTTP parameter pollution.

Beware of firing this detector when additional cookies, not used by the application, are found (as opposed to duplicated cookies) since these may relate to third-party code (e.g. advertisements, analytics) or some other application.

Note that extra HTTP headers may be added by intermediate proxies, and unless the network configuration is fixed (an internal network perhaps), additional headers cannot be controlled and thus cannot be used to infer existence of a potential attacker.

examples

Example 1: Additional form or URL parameters submitted with request (e.g. debug=1, servervariable=2000)

Example 2: A parameter is defined more than once in the URL Query String

Example 3: An HTTP header is duplicated

Example 4: An additional HTTP header is found

code

[Java] [.Net] [PHP]

RE6: Data Missing from Request

id

RE6

title

Data Missing from Request

category

RequestException

description

Expected parameters or HTTP headers are missing from the request.

consideration

Bookmarking and use of a browser's "back button" can lead to requests without the expected parameters.

examples

Example 1: A page is requested without any of the required form paramaters.

Example 2: The HTTP-Accept header is not present in a request.

code

[Java] [.Net] [PHP]

AuthenticationException

AE1: Use Of Multiple Usernames

id

AE1

title

Use Of Multiple Usernames

category

AuthenticationException

description

Multiple usernames are attempted when logging into the application. The assignment of login attempts to a user can be based off of a sessionID given to the user when they visit the website. Correlating based on IP address is difficult since multiple users could be using the site from the same IP address (e.g. corporate NAT)

consideration
examples

User first tries username bob, then username sue, then steve etc

code

[Java] [.Net] [PHP]

AE2: Multiple Failed Passwords

id

AE2

title

Multiple Failed Passwords

category

AuthenticationException

description

For a single username, multiple bad passwords are entered

consideration
examples

User tries username:password combination of user:pass1, user:pass2, user:pass3, etc

code

[Java] [.Net] [PHP]

AE3: High Rate Of Login Attempts

id

AE3

title

High Rate Of Login Attempts

category

AuthenticationException

description

The number of logins sent per minute becomes too high indicating an automated login attack

consideration
examples

User sends the following login attempts within 1 second. user1:pass1, user1:pass2, user2:pass3, user2:pass4

code

[Java] [.Net] [PHP]

AE4: Unexpected Quantity Of Characters In Username

id

AE4

title

Unexpected Quantity Of Characters In Username

category

AuthenticationException

description

The user provides a username with a large number of characters

consideration
examples

The user sends a username that is 200 characters long

code

[Java] [.Net] [PHP]

AE5: Unexpected Quantity Of Characters In Password

id

AE5

title

Unexpected Quantity Of Characters In Password

category

AuthenticationException

description

The user provides a password with a large number of characters

consideration
examples

The user sends a password that is 200 characters long

code

[Java] [.Net] [PHP]

AE6: Unexpected Types Of Characters In Username

id

AE6

title

Unexpected Types Of Characters In Username

category

AuthenticationException

description

The user provides non-printable characters such as the null byte. Any characters below hex value 20 or above 7E are considered illegal (decimal values of below 32 or above 126)

consideration
examples

The user sends a username that contains ascii characters below 20 or above 7E

code

[Java] [.Net] [PHP]

AE7: Unexpected Types Of Characters In Password

id

AE7

title

Unexpected Types Of Characters In Password

category

AuthenticationException

description

The user provides characters such as the null byte, alt-characters, (WHAT IS THE NAME FOR THOSE)

consideration
examples

The user sends a password that contains ascii characters below 20 or above 7E

code

[Java] [.Net] [PHP]

AE8: Providing Only The Username

id

AE8

title

Providing Only The Username

category

AuthenticationException

description

The user submits a post request which only contains the username variable. The password variable has been removed. This is different from only providing the username in the login form since in that case the password variable would be present and empty.

consideration
examples

The user uses a proxy tool to remove the password variable from the submitted post request.

code

[Java] [.Net] [PHP]

AE9: Providing Only The Password

id

AE9

title

Providing Only The Password

category

AuthenticationException

description

The user submits a post request which only contains the password variable. The username variable has been removed. This is different from only providing the password in the login form since in that case the username variable would be present and empty.

consideration
examples

The user uses a proxy tool to remove the username variable from the submitted post request.

code

[Java] [.Net] [PHP]

AE10: Adding Additional POST Variables

id

AE10

title

Adding Additional POST Variables

category

AuthenticationException

description

Additional, unexpected post variables are received during an authentication request.

consideration
examples

The user uses a proxy tool to add the additional post variable of admin=true to the post request

code

[Java] [.Net] [PHP]

AE11: Removing POST Variables

id

AE11

title

Removing POST Variables

category

AuthenticationException

description

Expected post variables are not present within the submitted authentication requests

consideration
examples

The user uses a proxy tool to remove an additional post variable, such as guest=true, from the post request

code

[Java] [.Net] [PHP]

AE12: Utilization of Common User Names

id

AE12

title

Utilization of Common User Names

category

AuthenticationException

description

Common dictionary user names are used to attempt to log into the application.

consideration
examples

Log in attempted with username "administrator", "admin" or "test"

code

[Java] [.Net] [PHP]

SessionException

SE1: Modifying Existing Cookies

id

SE1

title

Modifying Existing Cookies

category

SessionException

description

A request is received containing a cookie with a modified value. This could be determined if the cookie is modified to an illegal value.

consideration
examples

The user uses a proxy tool to change the encrypted cookie to an alternative value which does not properly decode within the application. Or, the user modifies an unencrypted cookie and sets an illegal value for a particular variable.

code

[Java] [.Net] [PHP]

SE2: Adding New Cookies

id

SE2

title

Adding New Cookies

category

SessionException

description

A request is received which contains additional cookies that are not expected by the application.

consideration
examples

The user uses a proxy tool to add additional cookies to the request.

code

[Java] [.Net] [PHP]

SE3: Deleting Existing Cookies

id

SE3

title

Deleting Existing Cookies

category

SessionException

description

A request is received which does not contain the expected cookies.

consideration
examples

The user uses a proxy tool to remove cookies or portions of cookies from a request.

code

[Java] [.Net] [PHP]

SE4: Substituting Another User's Valid Session ID Or Cookie

id

SE4

title

Substituting Another User's Valid Session ID Or Cookie

category

SessionException

description

A request is received which contains cookie data that is clearly from another user or another session.

consideration
examples

The user uses a proxy tool to substitute valid data from another user or session into the cookie. An example would be changing some sort of identification number within the cookie.

code

[Java] [.Net] [PHP]

SE5: Source IP Address Changes During Session

id

SE5

title

Source IP Address Changes During Session

category

SessionException

description

Valid requests, containing valid session credentials, are received from multiple source IP addresses.

consideration
examples

User A's session is compromised and User B begins using the account. The requests originating from User B will possibly contain a different source IP address the User A. The source IP addresses could be the same if both users where behind the same NAT.

code

[Java] [.Net] [PHP]

SE6: Change Of User Agent Mid Session

id

SE6

title

Change Of User Agent Mid Session

category

SessionException

description

The User-Agent value of the header changes during an authenticated session. This indicates a different browser is now being used. Although this value is under the control of the sender, a change in this may indicates that the session has been compromised and is being used another individual. This will likely not be the case that the user has simply copied and pasted the URL from one browser to another on the same system because this action would not copy over the appropriate session identifiers.

consideration
examples

Midsession, the UserAgent changes from Firefox to Internet Explorer

code

[Java] [.Net] [PHP]

AccessControlException

ACE1: Modifying URL Arguments Within a GET For Direct Object Access Attempts

id

ACE1

title

Modifying URL Arguments Within a GET For Direct Object Access Attempts

category

AccessControlException

description

The application is designed to use an identifier for a particular object, such as using categoryID=4 or user=guest within the URL. A user modifies this value in an attempt to access unauthorized information. This exception should be thrown anytime the identifier received from the user is not authorized due to the identifier being nonexistent or the identifier not authorized for that user.

consideration
examples

The user modifies the following URL from FIX THIS

code

[Java] [.Net] [PHP]

ACE2: Modifying Parameters Within A POST For Direct Object Access Attempts

id

ACE2

title

Modifying Parameters Within A POST For Direct Object Access Attempts

category

AccessControlException

description

The value of a non-free text html form element (i.e. drop down box, radio button) is modified to an illegal value. The value either does not exist or is not authorized for the user.

consideration
examples

The user uses a proxy tool to intercept a post request and changes the posted value to a value that was not available through the normal display. For example, the user encounters a dropdown box containing the numbers 1 through 10. The user selects 5 and then intercepts the post to change the submitted value to 100.

code

[Java] [.Net] [PHP]

ACE3: Force Browsing Attempts

id

ACE3

title

Force Browsing Attempts

category

AccessControlException

description

An authenticated or unauthenticated user sends a request for a non-existent resource (e.g. page, directory listing, image, file, etc), or a resource that is not authorized for that user.

consideration
examples

Example 1: The user is authenticated and requests site.com/PageThatDoesNotExist

Example 2: The user is authenticated and requests a video they are not authorized to download/view

Example 3: An unauthenticated user (perhaps with a session ID) requests a listing of a directory detailed in the site's robots.txt file

code

[Java] [.Net] [PHP]

ACE4: Evading Presentation Access Control Through Custom Posts

id

ACE4

title

Evading Presentation Access Control Through Custom Posts

category

AccessControlException

description

A post request is received which is not authorized for the current user and the user could not have performed this action without crafting a custom POST request. This situation is most likely to occur when presentation layer access controls are in place and have removed the user's ability to initiate the action through the presentation of the application. An attacker may be aware of the functionality and attempt to bypass this presentation layer access control by crafting their own custom message and sending this in an attempt to execute the functionality.

consideration
examples

The application contains the ability for an administrator to delete a user. This method is normally invoked by entering the username and posting to https://oursite/deleteuser Presentation layer access controls ensure the delete user form is not displayed to non-administrator users. A malicious user has access to a non-administrator account and is aware of the delete user functionality. The malicious user sends a custom crafted post message to https://oursite/deleteuser in an attempt to execute the delete user method.

code

[Java] [.Net] [PHP]

InputException

IE1: Cross Site Scripting Attempt

id

IE1

title

Cross Site Scripting Attempt

category

InputException

description

The HTTP request contains common XSS attacks which are often used by attackers probing for XSS vulnerabilities. Detection should be configured to test all GET and POST values as well as all header names and values for the following values.

consideration
examples

The user uses a proxy tool to add an XSS attack to the header value and the """"displayname"""" post variable. The header value could be displayed to an admin viewing log files and the """"displayname"""" post variable may be stored in the application and displayed to other users. Note, the following xss attacks would be used by an attacker to probe for vulnerability. An actual XSS attack would be customized by the attacker.

<script>alert(document.cookie);</script> <script>alert();</script> alert(String.fromCharCode(88,83,83)) <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=javascript:alert(&quot;XSS&quot;)> <BODY ONLOAD=alert('XSS')>

Cross references:

  • OWASP ModSecurity Core Rule Set Project v2.0.5
    • (41) XSS Attacks: Cross-site Scripting (XSS) Attack (67 Rules)
    • (41) XSS Attacks: Cross-site Scripting (XSS) Attack [Paranoid Mode] (Additional 67 Rules)
code

[Java] [.Net] [PHP]

IE2: Violations Of Implemented White Lists

id

IE2

title

Violations Of Implemented White Lists

category

InputException

description

The application receives user-supplied data that violates an established white list validation.

consideration
examples

The user submits data that is not correct for the particular field. This may not be attack data necessarily, but repeated violations could be an attempt by the attacker to determine how an application works or to discover a flaw.

code

[Java] [.Net] [PHP]

IE3: Violations Of Implemented Black Lists

id

IE3

title

Violations Of Implemented Black Lists

category

InputException

description

The application receives user-supplied data that violates an established black list validation.

consideration
examples

The application receives user-supplied data that violates an established black list validation. This may not be attack data necessarily, but repeated violations could be an attempt by the attacker to determine how an application works or to discover a flaw or to exploit a flaw. This black list approach suffers from the potential for greater false positives than IE2 above, and cannot be used to identify all potential malicious data.

Example 1: URL in comment field identified as suspected phishing and malware pages using Google Safe Browsing API)

Example 2: Parameter value matches a known SQL injection pattern.

Example 3: Parameter value matches a known XSS pattern.

code

[Java] [.Net] [PHP]

IE4: Violation of Input Data Integrity

id

IE4

title

Violations Of Implemented Black Lists

category

InputException

description

The application receives HTTP header or body parameter values which have been tampered with when no change should have occurred.

consideration
examples

Example 1: Hidden form field modified by client.

Example 2: Select list value submitted in response, not sent by server as an available option value

Example 3: Cookie set by server has been manipulated by the client.

Example 4: Cookie created by client instead of by the server.

code

[Java] [.Net] [PHP]

EncodingException

EE1: Double Encoded Characters

id

EE1

title

Double Encoded Characters

category

EncodingException

description

An HTTP request is received which contains values that have been double encoded.

consideration
examples

The user sends encodes the % symbol to %25 and appends 3C. The user is sending %253C which may be interpreted by the application as %3C which is actually <.

code

[Java] [.Net] [PHP]

EE2: Unexpected Encoding Used

id

EE2

title

Unexpected Encoding Used

category

EncodingException

description

An HTTP request is received which contains values that have encoded in an unexpected format.

consideration
examples

The user encodes an attack such as alert(document.cookie) into the UTF-7 format and sends this data the application. This could bypass validation filters and be rendered to a user in certain situations.

Cross references:

  • OWASP ModSecurity Core Rule Set Project v2.0.5
    • (20) Protocol Violations: UTF8 Encoding Abuse Attack Attempt (950801)
    • (30) HTTP Policy Enforcement: Request Content Type Is Not Allowed by Policy (960010)
code

[Java] [.Net] [PHP]

CommandInjectionException

CIE1: Blacklist Inspection For Common SQL Injection Values

id

CIE1

title

Blacklist Inspection For Common SQL Injection Values

category

CommandInjectionException

description

A request is received which contains common SQL injection attack attempts. The point of this detection is not to detect all variations of a SQL injection attack, but to detect the common probes which an attacker or tool might use to determine if a SQL injection vulnerability is present. Unless the site contains some sort of message board for discussing SQL injection, there is little reason that the SQL injection examples should ever be received from a user request.

consideration
examples

The user sends a request and modifies a URL parameter from category = 5 to category = 5' OR '1' = '1 in an attempt to perform an SQL injection attack. The user could perform similar attacks by modifying post variables or even the request headers to contain SQL injection attacks. ' OR '1'='1 ' OR 'a'='a ' OR 1=1-- xp_cmdshell UNION JOIN

Cross references:

code

[Java] [.Net] [PHP]

CIE2: Detect Abnormal Quantity Of Returned Records

id

CIE2

title

Detect Abnormal Quantity Of Returned Records

category

CommandInjectionException

description

A database query is executed which returns more records than expected. For example, if the query should only return 1 record and 100 records are returned, then something has likely gone wrong.

consideration
examples

The application is designed to allow a user to maintain 5 profiles. A user makes a request to view all of their profiles. The database query, which is expected to always return 5 or less results, returns 10,000 records. Something in the application, or user's actions, has caused unauthorized data to be returned.

code

[Java] [.Net] [PHP]

CIE3: Null Byte Character In File Request

id

CIE3

title

Null Byte Character In File Request

category

CommandInjectionException

description

A request is received to download a file from the server. The filename requested contains the null byte the file name. This is an attempted OS injection attack.

consideration
examples

The user modifies the filename of the requested file to download to contain the null byte. The null byte can be added by inserting the hex value %00.

Cross references:

code

[Java] [.Net] [PHP]

CIE4: Carriage Return Or Line Feed Character In File Request

id

CIE4

title

Carriage Return Or Line Feed Character In File Request

category

CommandInjectionException

description

A request is received which contains the carriage return or line feed characters within the posted data or the URL parameters. This is an attempted HTTP split response attack.

consideration
examples

The user includes the hex value %0D or %0A in the http request post data or URL parameters.

Cross references:

code

[Java] [.Net] [PHP]

FileIOException

FIO1: Detect Large Individual Files

id

FIO1

title

Detect Large Individual Files

category

FileIOException

description

A file upload feature detects that a large file has been submitted for upload which exceeds the maximum upload size

consideration
examples

The user attempts to upload a large file to occupy resources or fill up disk space

code

[Java] [.Net] [PHP]

FIO2: Detect Large Number Of File Uploads

id

FIO2

title

Detect Large Number Of File Uploads

category

FileIOException

description

A user uploads an excessively large number of files.

consideration
examples

A single user attempts to upload multiple small files to occupy resources or fill up disk space

code

[Java] [.Net] [PHP]

Honey Trap

TBD

Some ideas: http://blogs.sans.org/appsecstreetfighter/2009/06/04/my-top-6-honeytokens/

UserTrendException

UT1: Irregular Use Of Application

id

UT1

title

Irregular Use Of Application

category

UserTrendException

description

The application receives numerous requests for the same page or feature from a user. The user may be sending different data combinations or trying to detect errors in the page.

consideration
examples

The user requests a particular page, such as the address update page, numerous times.

code

[Java] [.Net] [PHP]

UT2: Speed Of Application Use

id

UT2

title

Speed Of Application Use

category

UserTrendException

description

The speed of requests from a user indicates that an automated tool is being used to access the site. The use of a tool may indicate reconnaissance for an attack or attempts to identify vulnerabilities in the site.

consideration
examples

The user utilizes an automated tool to request hundreds of pages per minute.

code

[Java] [.Net] [PHP]

UT3: Frequency Of Site Use

id

UT3

title

Frequency Of Site Use

category

UserTrendException

description

Does the user normally access the site 1 per week, and this is now many times per day

consideration
examples
code

[Java] [.Net] [PHP]

UT4: Frequency Of Feature Use

id

UT4

title

Frequency Of Feature Use

category

UserTrendException

description

The rate of a user utilizing a particular application feature changes dramatically.

consideration
examples
code

[Java] [.Net] [PHP]

SystemTrendException

STE1: High Number Of Logouts Across The Site

id

STE1

title

High Number Of Logouts Across The Site

category

SystemTrendException

description

A sudden spike in logouts across the application could indicate a XSS and CSRF attack placed within the application which is automatically logging off users.

consideration
examples

The hourly usage of the logoff feature of the application suddenly spikes by 500%.

code

[Java] [.Net] [PHP]

STE2: High Number Of Logins Across The Site

id

STE2

title

High Number Of Logins Across The Site

category

SystemTrendException

description

A sudden spike in logins across the application could indicate users being redirected to the site from a phishing email looking to exploit a XSS vulnerability in the site.

consideration
examples

The hourly usage of the logon feature of the application suddenly spikes by 500%.

code

[Java] [.Net] [PHP]

STE3: High Number Of Same Transaction Across The Site

id

STE3

title

High Number Of Same Transaction Across The Site

category

SystemTrendException

description

A sudden spike in similar activity across numerous users of the application may indicate a phishing attack or CSRF attack against the users.

consideration
examples

The hourly usage of the update email address feature of the application suddenly spikes by 500%.

code

[Java] [.Net] [PHP]