Difference between revisions of "Category:OWASP AppSensor Project"

From OWASP
Jump to: navigation, search
m (Project Roadmap)
(Added detection point titles to page for easy reference)
Line 1: Line 1:
{{OWASP Book|5984542}}
+
{{OWASP Book|5984542}}  
  
 +
<br> {{:Project Information:template AppSensor Project}}
  
{{:Project Information:template AppSensor Project}}
+
'''Summer of Code 2008 Project!'''
[[Category:OWASP Project|AppSensor Project]]
+
[[Category:OWASP Document]]
+
[[Category:OWASP Download]]
+
[[Category:OWASP Beta Quality Document]]
+
  
'''Summer of Code 2008 Project!'''
+
== Overview  ==
  
==Overview==
+
If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change!  
 
+
If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change!
+
  
 
As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.  
 
As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.  
  
In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application
+
In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application  
  
==Project Lead==
+
== Project Lead ==
Michael Coates (michael.coates [at] aspectsecurity [dot] com)
+
  
==Project Roadmap==
+
Michael Coates (michael.coates [at] aspectsecurity [dot] com)
  
'''Future Presentations:''' OWASP DC, November 2009
+
== Project Roadmap  ==
  
'''Current:''' v1.2 in the works, demo application in development
+
'''Future Presentations:''' OWASP DC, November 2009
  
 +
'''Current:''' v1.2 in the works, demo application in development
  
 +
<br>
  
'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])
+
'''May, 2009''' - AppSec EU Poland - Presentation ([http://www.owasp.org/images/b/b7/AppsecEU09_MichaelCoates.pptx PPT]) ([http://blip.tv/file/2198771 Video])  
  
'''January, 2009''' - v1.1 Released - Beta Status
+
'''January, 2009''' - v1.1 Released - Beta Status  
  
'''November, 2008''' - AppSensor Talk at OWASP Portugal
+
'''November, 2008''' - AppSensor Talk at OWASP Portugal  
  
 
'''November, 2008''' - v1.0 Released - Beta Status  
 
'''November, 2008''' - v1.0 Released - Beta Status  
  
'''April 16, 2008''' - Project Begins
+
'''April 16, 2008''' - Project Begins  
 +
 
 +
<br>
 +
 
 +
== Detection Points  ==
 +
 
 +
Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.
 +
 
 +
'''Signature Based Events'''
 +
 
 +
ID Event<br>RE1 Unexpected HTTP Commands <br>RE2 Attempts To Invoke Unsupported HTTP Methods<br>RE3 GET When Expecting POST<br>RE4 POST When Expecting GET<br>AE1 Use Of Multiple Usernames<br>AE2 Multiple Failed Passwords<br>AE3 High Rate Of Login Attempts<br>AE4 Unexpected Quantity Of Characters In Username<br>AE5 Unexpected Quantity Of Characters In Password<br>AE6 Unexpected Types Of Characters In Username<br>AE7 Unexpected Types Of Characters In Password<br>AE8 Providing Only The Username<br>AE9 Providing Only The Password<br>AE10 Adding Additional POST Variables<br>AE11 Removing POST Variables<br>SE1 Modifying Existing Cookies<br>SE2 Adding New Cookies<br>SE3 Deleting Existing Cookies<br>SE4 Substituting Another User's Valid Session ID Or Cookie<br>SE5 Source IP Address Changes During Session<br>SE6 Change Of User Agent Mid Session<br>ACE1 Modifying URL Arguments Within A GET For Direct Object Access Attempts<br>ACE2 Modifying Parameters Within A POST For Direct Object Access Attempts<br>ACE3 Force Browsing Attempts<br>ACE4 Evading Presentation Access Control Through Custom Posts<br>IE1 Cross Site Scripting Attempt<br>IE2 Violations Of Implemented White Lists<br>EE1 Double Encoded Characters<br>EE2 Unexpected Encoding Used<br>CIE1 Blacklist Inspection For Common SQL Injection Values<br>CIE2 Detect Abnormal Quantity Of Returned Records. <br>CIE3 Null Byte Character In File Request<br>CIE4 Carriage Return Or Line Feed Character In File Request<br>FIO1 Detect Large Individual Files <br>FIO2 Detect Large Number Of File Uploads<br><br>
 +
 
 +
'''Behavior Based Events'''<br>
 +
 
 +
UT1 Irregular Use Of Application<br>UT2 Speed Of Application Use<br>UT3 Frequency Of Site Use<br>UT4 Frequency Of Feature Use<br>STE1 High Number Of Logouts Across The Site<br>STE2 High Number Of Logins Across The Site<br>STE3 High Number Of Same Transaction Across The Site<br><br>
 +
 
 +
'''Legend:'''
 +
 
 +
RE - Request<br>AE - Authentication<br>SE - Session<br>ACE - Acess Control<br>IE - Input<br>EE - Encoding<br>CIE - Command Injection<br>FIO - File IO<br>UT - User Trend<br>STE - System Strend<br><br>
 +
 
 +
<br>
 +
 
 +
[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Beta_Quality_Document]]

Revision as of 11:47, 14 August 2009

OWASP Books logo.png This project has produced a book that can be downloaded or purchased.
Feel free to browse the full catalog of available OWASP books.


PROJECT IDENTIFICATION
Project Name OWASP AppSensor Project - Detect and Respond to Attacks from Within the Application
Short Project Description

Real Time Application Attack Detection and Response

Overview

Article on why Application Based Intrusion Detection is a must for critical applications.

The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.

Detection

AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.

Response

AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.

Defending the Application

An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

Project key Information Project Leaders:

Michael Coates
John Melton
Colin Watson
Dennis Groves

Project Contributors:

Ryan Barnett
Simon Bennetts
August Detlefsen
Dennis Groves
Randy Janida
Jim Manico
Giri Nambari
Eric Sheridan
John Stevens
Kevin Wall

Mailing list
Subscribe here
Use here
License
Creative Commons Attribution Share Alike 3.0
Project Type
Documentation
Sponsor
OWASP SoC 08
Release Status Main Links Related Projects

Beta Quality
Please see here for complete information.


Summer of Code 2008 Project!

Contents

Overview

If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change!

As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.

In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application

Project Lead

Michael Coates (michael.coates [at] aspectsecurity [dot] com)

Project Roadmap

Future Presentations: OWASP DC, November 2009

Current: v1.2 in the works, demo application in development


May, 2009 - AppSec EU Poland - Presentation (PPT) (Video)

January, 2009 - v1.1 Released - Beta Status

November, 2008 - AppSensor Talk at OWASP Portugal

November, 2008 - v1.0 Released - Beta Status

April 16, 2008 - Project Begins


Detection Points

Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

Signature Based Events

ID Event
RE1 Unexpected HTTP Commands
RE2 Attempts To Invoke Unsupported HTTP Methods
RE3 GET When Expecting POST
RE4 POST When Expecting GET
AE1 Use Of Multiple Usernames
AE2 Multiple Failed Passwords
AE3 High Rate Of Login Attempts
AE4 Unexpected Quantity Of Characters In Username
AE5 Unexpected Quantity Of Characters In Password
AE6 Unexpected Types Of Characters In Username
AE7 Unexpected Types Of Characters In Password
AE8 Providing Only The Username
AE9 Providing Only The Password
AE10 Adding Additional POST Variables
AE11 Removing POST Variables
SE1 Modifying Existing Cookies
SE2 Adding New Cookies
SE3 Deleting Existing Cookies
SE4 Substituting Another User's Valid Session ID Or Cookie
SE5 Source IP Address Changes During Session
SE6 Change Of User Agent Mid Session
ACE1 Modifying URL Arguments Within A GET For Direct Object Access Attempts
ACE2 Modifying Parameters Within A POST For Direct Object Access Attempts
ACE3 Force Browsing Attempts
ACE4 Evading Presentation Access Control Through Custom Posts
IE1 Cross Site Scripting Attempt
IE2 Violations Of Implemented White Lists
EE1 Double Encoded Characters
EE2 Unexpected Encoding Used
CIE1 Blacklist Inspection For Common SQL Injection Values
CIE2 Detect Abnormal Quantity Of Returned Records.
CIE3 Null Byte Character In File Request
CIE4 Carriage Return Or Line Feed Character In File Request
FIO1 Detect Large Individual Files
FIO2 Detect Large Number Of File Uploads

Behavior Based Events

UT1 Irregular Use Of Application
UT2 Speed Of Application Use
UT3 Frequency Of Site Use
UT4 Frequency Of Feature Use
STE1 High Number Of Logouts Across The Site
STE2 High Number Of Logins Across The Site
STE3 High Number Of Same Transaction Across The Site

Legend:

RE - Request
AE - Authentication
SE - Session
ACE - Acess Control
IE - Input
EE - Encoding
CIE - Command Injection
FIO - File IO
UT - User Trend
STE - System Strend


Pages in category "OWASP AppSensor Project"

The following 4 pages are in this category, out of 4 total.