Difference between revisions of "OWASP AppSensor Project"

From OWASP
Jump to: navigation, search
(Copyright added)
(19 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{OWASP Book|5984542}}
+
=Main=
  
 +
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Appsensor-header.jpg|link=]]</div>
  
{{ProjectTabs |  
+
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
Proj_About=  
+
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
{{:Project Information:template AppSensor Project}}
+
  
|
+
== OWASP AppSensor ==
  
Proj_Documentation=
+
The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement [https://www.owasp.org/index.php/ApplicationLayerIntrustionDetection intrusion detection and automated response] into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.
== AppSensor Overview ==
+
  
If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change!
 
  
As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.
+
== Introduction ==
  
In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project will create the framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application
+
If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change!  As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.  
  
== Is this hard?==
+
In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project delivers a framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application.
No, simple checks are used to detect malicious activity. A security exception is then thrown and the AppSensor/ESAPI framework takes care of the rest.  
+
  
== Get AppSensor ==
 
Download the AppSensor book for free at [http://www.lulu.com/product/download/owasp-appsensor/4520005  lulu.com]
 
  
Order a printed version for under $10 [http://www.lulu.com/content/5984542 lulu.com]
+
== Detect and Respond to Attacks from Within the Application ==
  
|
+
=== Detection ===
 +
AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
 +
=== Response===
 +
AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
 +
===Defending the Application===
 +
An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.
  
Proj_Contributors=
 
  
 +
==Citations==
  
|
+
* [http://www.crosstalkonline.org/ CrossTalk], The Journal of Defense Software Engineering
 +
** Creating Attack-Aware Software Applications with Real Time Defenses, Vol. 24, No. 5, Sep/Oct 2011
  
Proj_Mail=
+
* Norwegian University of Science and Technology in Tronheim
 +
** [http://ntnu.diva-portal.org/smash/record.jsf?pid=diva2:566091 AppSensor: Attack-Aware Applications Compared Against a Web Application Firewall and an Intrusion Detection System], Thomassen P, 2012
  
AppSensor-Tutorial [http://code.google.com/p/appsensor/source/browse/trunk/AppSensor-Tutorial/ Now Available]!
+
*US Department of Homeland Security
 +
** [https://buildsecurityin.us-cert.gov/swa/topics/resilient-software/ Resilient Software]
 +
** [https://buildsecurityin.us-cert.gov/swa/resources Software Assurance Resources]
  
AppSensor Presented at AppSecUSA
 
  
 +
==Licensing==
 +
OWASP AppSensor is free to use. It is licensed under the [http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.
  
==== Project Roadmap  ====
+
&copy; OWASP Foundation
  
'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]
 
  
'''July, 2010''' - ESAPI Integration Complete!
+
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 +
 
 +
== What is AppSensor? ==
 +
 
 +
Detect and Respond to Attacks from Within the Application.
 +
 
 +
 
 +
== Overview ==
 +
 
 +
[[File:Appsensor_crosstalk_small.jpg|link=http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf]]
 +
 
 +
Download the [http://www.crosstalkonline.org/storage/issue-archives/2011/201109/201109-Watson.pdf PDF] from CrossTalk Magazine.
 +
 
 +
 
 +
== Project Founder ==
 +
 
 +
*Michael Coates
 +
 
 +
 
 +
== Project Leaders ==
 +
 
 +
* Dennis Groves
 +
* John Melton
 +
* Colin Watson
 +
 
 +
 
 +
== Related Projects ==
 +
 
 +
* [[:Category:OWASP_Enterprise_Security_API|OWASP Enterprise Security API]]
 +
* [[:Category:OWASP_ModSecurity_Core_Rule_Set_Project|OWASP ModSecurity Core Rule Set]]
 +
 
 +
 
 +
| valign="top"  style="padding-left:25px;width:200px;" |
 +
 
 +
== Quick Download ==
 +
 
 +
* OWASP AppSensor Guide v1.1 EN (beta)
 +
** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
 +
** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]
 +
* OWASP AppSensor Demonstration Implementations
 +
** [http://www.owasp.org/index.php/AppSensor_Developer_Guide Developer Guide]
 +
** [http://code.google.com/p/appsensor/ Code]
 +
 
 +
 
 +
== News and Events ==
 +
* [21 Nov 2013] [http://appsecusa2013.sched.org/event/6dddc818ce383f9f16c93a6942194fcc?iframe=no&w=990&sidebar=yes&bg=no AppSensor Project presentation]
 +
* [20 Nov 2013] [http://appsecusa2013.sched.org/event/919e2765c43ed84d5c909df182286e95?iframe=no&w=100&sidebar=yes&bg=no Writing and document review]
 +
* [18 Nov 2013] [http://appsecusa2013.sched.org/event/27b2968fe4894f71db79652a4f736940?iframe=no&w=990&sidebar=yes&bg=no AppSensor 2.0 Hackathon]
 +
* [28 Oct 2013] [http://www.cyber.st.dhs.gov/host/ HOST] investment award notification
 +
 
 +
 
 +
== In Print ==
 +
 
 +
[[File:Appsensor_small.jpg|link=]]
 +
 
 +
We apologise the v1.1 book can no longer be purchased as a print on demand book from Lulu.com, due to support for the format/binding being withdrawn. Please download the [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF] instead. The v2.0 document is in progress and will be available on Lulu in Spring 2014.
 +
 
 +
 
 +
==Classifications==
 +
 
 +
  {| width="200" cellpadding="2"
 +
  |-
 +
  | align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-labs-trans-85.png|link=:Category:OWASP_Project#tab=Terminology]]
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] 
 +
  |-
 +
  | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_DOC.jpg|link=]] 
 +
  |-
 +
  | colspan="2" align="center"  | [[File:Project_Type_Files_CODE.jpg|link=]]
 +
  |}
 +
 
 +
|}
 +
 
 +
= Acknowledgements =
 +
 
 +
== Volunteers ==
 +
 
 +
All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.
 +
 
 +
{| cellpadding="2"
 +
  |-
 +
  | width="200" align="left" valign="top" |
 +
 
 +
*Ryan Barnett
 +
*Simon Bennetts
 +
*Joe Bernik
 +
*Rex Booth
 +
*Luke Briner
 +
*Rauf Butt
 +
*Fabio Cerullo
 +
*Marc Chisinevski
 +
*Robert Chojnacki
 +
*Michael Coates
 +
*Dinis Cruz
 +
*August Detlefsen
 +
 
 +
  | width="200" align="left" valign="top" |
 +
 
 +
*Ryan Dewhurst
 +
*Sean Fay
 +
*Dennis Groves
 +
*Randy Janida
 +
*Eoin Keary
 +
*Alex Lauerman
 +
*Junior Lazuardi
 +
*Jason Li
 +
*Manuel López Arredondo
 +
*Bob Maier
 +
*Jim Manico
 +
*John Melton
 +
*Craig Munson
 +
 
 +
  | width="200" align="left" valign="top" |
 +
 
 +
*Giri Nambari
 +
*Jay Reynolds
 +
*Chris Schmidt
 +
*Sahil Shah
 +
*Eric Sheridan
 +
*John Steven
 +
*Alex Thissen
 +
*Don Thomas
 +
*Pål Thomassen
 +
*Kevin W Wall
 +
*Colin Watson
 +
*Mehmet Yilmaz
 +
 
 +
  |}
 +
 
 +
 
 +
==OWASP Summer of Code 2008==
 +
The AppSensor Project  was initially supported by the [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008 OWASP Summer of Code 2008], leading to the publication of the book AppSensor v1.1.
 +
 
 +
 
 +
==Google Summer of Code 2012==
 +
Additional development work on [http://www.google-melange.com/gsoc/project/google/gsoc2012/edil/60002 SOAP web services] was kindly supported by the [http://www.google-melange.com/gsoc/program/home/google/gsoc2012 Google Summer of Code 2012].
 +
 
 +
 
 +
== Homeland Open Security Technology (HOST) Program ==
 +
AppSensor was awarded funding by the U.S. Department of Homeland Security’s Science and Technology Directorate's Security Research and Development Center under its HOST program to contribute to the production of the second version of the guide.
 +
 
 +
 
 +
== Other Acknowledgements ==
 +
The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.
 +
 
 +
 
 +
= Road Map and Getting Involved =
 +
 
 +
Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:
 +
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project General project]
 +
* [https://lists.owasp.org/mailman/listinfo/owasp-appsensor-dev Code development]
 +
 
 +
== Future activities ==
 +
 
 +
'''November, 2013''' - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York
 +
 
 +
'''2012-2013''' - Active Development of next AppSensor book!
 +
 
 +
'''2014 Spring''' Version 2 book to be published
 +
 
 +
== Past activities ==
 +
 
 +
'''September, 2011''' - AppSensor Summit at AppSec USA 2011, Minneapolis
 +
 
 +
'''September, 2010''' - Presented at AppSecUSA [http://www.slideshare.net/michael_coates/real-time-application-defenses-the-reality-of-appsensor-esapi-5181743 slides]
  
 
'''June, 2010''' - Active ESAPI Integration Underway
 
'''June, 2010''' - Active ESAPI Integration Underway
Line 61: Line 232:
 
'''April 16, 2008''' - Project Begins  
 
'''April 16, 2008''' - Project Begins  
  
<br>
 
 
==== Detection Points  ====
 
  
 +
= Detection Points =
  
 
Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.  
 
Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.  
  
Full info found '''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Here] '''
+
'''[http://www.owasp.org/index.php/AppSensor_DetectionPoints Detailed Detection Point Information Here] '''
  
'''Legend:'''  
+
'''[http://www.owasp.org/index.php/AppSensor_ResponseActions Response Action Information Here]'''
 +
 
 +
'''Summary of Information'''
 +
'''Detection Categories:'''  
  
 
RE - Request
 
RE - Request
Line 78: Line 250:
 
SE - Session
 
SE - Session
  
ACE - Acess Control
+
ACE - Access Control
  
 
IE - Input
 
IE - Input
Line 97: Line 269:
 
   
 
   
  
'''Signature Based Events'''  
+
'''Signature Based Event Titles'''  
  
 
ID Event
 
ID Event
Line 112: Line 284:
  
 
RE6 Data Missing from Request
 
RE6 Data Missing from Request
 +
 +
RE7 Unexpected Quantity of Characters in Parameter
 +
 +
RE8 Unexpected Type of Characters in Parameter
  
 
AE1 Use Of Multiple Usernames
 
AE1 Use Of Multiple Usernames
Line 191: Line 367:
 
HT3 Honey Trap Data Used
 
HT3 Honey Trap Data Used
  
'''Behavior Based Events'''<br>  
+
'''Behavior Based Event Titles'''<br>  
  
 
UT1 Irregular Use of Application
 
UT1 Irregular Use of Application
Line 205: Line 381:
 
STE2 High Number of Logins Across The Site
 
STE2 High Number of Logins Across The Site
  
STE3 High Number of Same Transaction Across The Site
+
STE3 Significant Change in Usage of Same Transaction Across The Site
  
 
RP1 Suspicious or Disallowed User IP Address
 
RP1 Suspicious or Disallowed User IP Address
Line 215: Line 391:
 
RP4 Change to Environment Threat Level
 
RP4 Change to Environment Threat Level
  
 +
= Media =
  
==== Media  ====
+
== AppSensor Guide ==
 +
 
 +
* OWASP AppSensor Guide v1.1 EN
 +
** [https://www.owasp.org/images/2/2f/OWASP_AppSensor_Beta_1.1.pdf PDF]
 +
** [https://www.owasp.org/images/b/b0/OWASP_AppSensor_Beta_1.1.doc DOC]
 +
* OWASP AppSensor Guide v2.0 EN
 +
** In progress ([https://www.owasp.org/index.php/File%3AOwasp-appensor-guide-v2.doc draft versions])
 +
 
 +
 
 +
== Development ==
 +
 
 +
[http://www.owasp.org/index.php/AppSensor_Developer_Guide Developer Guide]
 +
[http://code.google.com/p/appsensor/ Google Code]
 +
 
 +
== Presentations ==
 +
 
 +
[http://code.google.com/p/appsensor/source/browse/trunk/AppSensor-Tutorial/ AppSensorTutorial]
 +
 
 +
[http://www.brighttalk.com/webcast/20680 Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)]
  
 
July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]
 
July, 2010 - OWASP London (UK) - [http://www.owasp.org/index.php/File:Owasp-london-20100715-appsensor-3.pdf Real Time Application Attack Detection and Response with OWASP AppSensor]
Line 233: Line 428:
  
  
'''Video Demos of AppSensor'''
+
==Video Demos of AppSensor==
 +
 
  
 
[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]
 
[http://www.youtube.com/watch?v=8ItfuwvLxRk Detecting Multiple Attacks & Logging Out Attacker]
Line 244: Line 440:
  
  
==== Project About (under construction) ====
+
= Project About =
{{:Projects/OWASP_AppSensor_Project}}
+
{{:Projects/OWASP_AppSensor_Project | Project About}}
  
  
 
}}  
 
}}  
  
[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP_Document]] [[Category:OWASP_Download]] [[Category:OWASP_Beta_Quality_Document]]
+
__NOTOC__ <headertabs />
 +
 
 +
[[Category:OWASP_Project|AppSensor Project]] [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]] [[Category:OWASP_Download]]

Revision as of 14:00, 15 November 2013

[edit]

Appsensor-header.jpg

OWASP AppSensor

The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.


Introduction

If you walk into a bank and try opening random doors, you will be identified, led out of the building and possibly arrested. However, if you log into an online banking application and start looking for vulnerabilities no one will say anything. This needs to change! As critical applications continue to become more accessible and inter-connected, it is paramount that critical information is sufficiently protected. We must also realize that our defenses may not be perfect. Given enough time, attackers can identify security flaws in the design or implementation of an application.

In addition to implementing layers of defense within an application, we must identify malicious individuals before they are able to identify any gaps in our defenses. The best place to identify malicious activity against the application is within the application itself. Network based intrusion detection systems are not appropriate to handle the custom and intricate workings of an enterprise application and are ill-suited to detect attacks focusing on application logic such as authentication, access control, etc. This project delivers a framework which can be used to build a robust system of attack detection, analysis, and response within an enterprise application.


Detect and Respond to Attacks from Within the Application

Detection

AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.

Response

AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.

Defending the Application

An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.


Citations

  • CrossTalk, The Journal of Defense Software Engineering
    • Creating Attack-Aware Software Applications with Real Time Defenses, Vol. 24, No. 5, Sep/Oct 2011


Licensing

OWASP AppSensor is free to use. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

© OWASP Foundation


What is AppSensor?

Detect and Respond to Attacks from Within the Application.


Overview

Appsensor crosstalk small.jpg

Download the PDF from CrossTalk Magazine.


Project Founder

  • Michael Coates


Project Leaders

  • Dennis Groves
  • John Melton
  • Colin Watson


Related Projects


Quick Download


News and Events


In Print

Appsensor small.jpg

We apologise the v1.1 book can no longer be purchased as a print on demand book from Lulu.com, due to support for the format/binding being withdrawn. Please download the PDF instead. The v2.0 document is in progress and will be available on Lulu in Spring 2014.


Classifications

Owasp-labs-trans-85.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg
Project Type Files CODE.jpg

Volunteers

All OWASP projects rely on the voluntary efforts of people in the software development and information security sectors. They have contributed their time and energy to make suggestions, provide feedback, write, review and edit documentation, give encouragement, make introductions, produce demonstration code, promote the concept, and provide OWASP support. They participated via the project’s mailing lists, by developing code, by updating the wiki, by undertaking research studies, and through contributions during the AppSensor working session at the OWASP Summit 2011 in Portugal and the AppSensor Summit at AppSec USA 2011. Without all their efforts, the project would not have progressed to this point, and this guide would not have been completed.

  • Ryan Barnett
  • Simon Bennetts
  • Joe Bernik
  • Rex Booth
  • Luke Briner
  • Rauf Butt
  • Fabio Cerullo
  • Marc Chisinevski
  • Robert Chojnacki
  • Michael Coates
  • Dinis Cruz
  • August Detlefsen
  • Ryan Dewhurst
  • Sean Fay
  • Dennis Groves
  • Randy Janida
  • Eoin Keary
  • Alex Lauerman
  • Junior Lazuardi
  • Jason Li
  • Manuel López Arredondo
  • Bob Maier
  • Jim Manico
  • John Melton
  • Craig Munson
  • Giri Nambari
  • Jay Reynolds
  • Chris Schmidt
  • Sahil Shah
  • Eric Sheridan
  • John Steven
  • Alex Thissen
  • Don Thomas
  • Pål Thomassen
  • Kevin W Wall
  • Colin Watson
  • Mehmet Yilmaz


OWASP Summer of Code 2008

The AppSensor Project was initially supported by the OWASP Summer of Code 2008, leading to the publication of the book AppSensor v1.1.


Google Summer of Code 2012

Additional development work on SOAP web services was kindly supported by the Google Summer of Code 2012.


Homeland Open Security Technology (HOST) Program

AppSensor was awarded funding by the U.S. Department of Homeland Security’s Science and Technology Directorate's Security Research and Development Center under its HOST program to contribute to the production of the second version of the guide.


Other Acknowledgements

The project has also benefitted greatly from the generous contribution of time and effort by many volunteers in the OWASP community including those listed above, and contributors to the OWASP ESAPI project, members of the former OWASP Global Projects Committee, the OWASP Board, OWASP staff and support from the OWASP Project Reboot initiative. The v2 code and documentation were conceived during the AppSensor Summit held during AppSec USA 2011 in Minneapolis.


Please join the project's mailing lists to keep up-to-date with what's going on, and to contribute your ideas, feedback, and experience:

Future activities

November, 2013 - AppSensor 2.0 hackathon, and document writing & review at AppSecUSA 2013, New York

2012-2013 - Active Development of next AppSensor book!

2014 Spring Version 2 book to be published

Past activities

September, 2011 - AppSensor Summit at AppSec USA 2011, Minneapolis

September, 2010 - Presented at AppSecUSA slides

June, 2010 - Active ESAPI Integration Underway

November, 2009 OWASP DC, November 2009

Current: v1.2 in the works, demo application in development

May, 2009 - AppSec EU Poland - Presentation (PPT) (Video)

January, 2009 - v1.1 Released - Beta Status

November, 2008 - AppSensor Talk at OWASP Portugal

November, 2008 - v1.0 Released - Beta Status

April 16, 2008 - Project Begins


Below are the primary detection points defined within AppSensor. These are just the titles; the document contains descriptions, examples and considerations for implementing these detection points.

Detailed Detection Point Information Here 
Response Action Information Here

Summary of Information Detection Categories:

RE - Request

AE - Authentication

SE - Session

ACE - Access Control

IE - Input

EE - Encoding

CIE - Command Injection

FIO - File IO

HT - Honey Trap

UT - User Trend

STE - System Trend

RP - Reputation


Signature Based Event Titles

ID Event

RE1 Unexpected HTTP Command

RE2 Attempt to Invoke Unsupported HTTP Method

RE3 GET When Expecting POST

RE4 POST When Expecting GET

RE5 Additional/Duplicated Data in Request

RE6 Data Missing from Request

RE7 Unexpected Quantity of Characters in Parameter

RE8 Unexpected Type of Characters in Parameter

AE1 Use Of Multiple Usernames

AE2 Multiple Failed Passwords

AE3 High Rate of Login Attempts

AE4 Unexpected Quantity of Characters in Username

AE5 Unexpected Quantity of Characters in Password

AE6 Unexpected Type of Character in Username

AE7 Unexpected Type of Character in Password

AE8 Providing Only the Username

AE9 Providing Only the Password

AE10 Adding POST Variable

AE11 Missing POST Variable

AE12 Utilization of Common Usernames

SE1 Modifying Existing Cookie

SE2 Adding New Cookie

SE3 Deleting Existing Cookie

SE4 Substituting Another User's Valid Session ID or Cookie

SE5 Source IP Address Changes During Session

SE6 Change Of User Agent Mid Session

ACE1 Modifying URL Argument Within a GET for Direct Object Access Attempt

ACE2 Modifying Parameter Within a POST for Direct Object Access Attempt

ACE3 Force Browsing Attempt

ACE4 Evading Presentation Access Control Through Custom POST

IE1 Cross Site Scripting Attempt

IE2 Violation of Implemented White Lists

IE3 Violation Of Implemented Black Lists

IE4 Violation of Input Data Integrity

IE5 Violation of Stored Business Data Integrity

IE6 Violation of Security Log Integrity

EE1 Double Encoded Character

EE2 Unexpected Encoding Used

CIE1 Blacklist Inspection for Common SQL Injection Values

CIE2 Detect Abnormal Quantity of Returned Records

CIE3 Null Byte Character in File Request

CIE4 Carriage Return or Line Feed Character In File Request

FIO1 Detect Large Individual File

FIO2 Detect Large Number of File Uploads

HT1 Alteration to Honey Trap Data

HT2 Honey Trap Resource Requested

HT3 Honey Trap Data Used

Behavior Based Event Titles

UT1 Irregular Use of Application

UT2 Speed of Application Use

UT3 Frequency of Site Use

UT4 Frequency of Feature Use

STE1 High Number of Logouts Across The Site

STE2 High Number of Logins Across The Site

STE3 Significant Change in Usage of Same Transaction Across The Site

RP1 Suspicious or Disallowed User IP Address

RP2 Suspicious External User Behavior

RP3 Suspicious Client-Side Behavior

RP4 Change to Environment Threat Level

AppSensor Guide


Development

Developer Guide Google Code

Presentations

AppSensorTutorial

Automated Application Defenses to Thwart Advanced Attackers (Slides & Audio)

July, 2010 - OWASP London (UK) - Real Time Application Attack Detection and Response with OWASP AppSensor

June, 2010 - OWASP Leeds/North (UK) - OWASP AppSensor - The Self-Aware Web Application

June, 2010 - Video presentation - Automated Application Defenses to Thwart Advanced Attackers

November, 2009 - AppSec DC - Defend Yourself: Integrating Real Time Defenses into Online Applications

May, 2009 - OWASP Podcast #51

May, 2009 - AppSec EU Poland - Real Time Defenses against Application Worms and Malicious Attackers

November, 2008 - OWASP Summit Portugal 2008 PPT


Video Demos of AppSensor

Detecting Multiple Attacks & Logging Out Attacker

Detecting XSS Probes

Detecting URL Tampering

Detecting Verb Tampering


PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP AppSensor Project (home page)
Purpose: Real Time Application Attack Detection and Response

Overview The AppSensor project defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into an existing application. Current efforts are underway to create the AppSensor tool which can be utilized by any existing application interested in adding detection and response capabilities.
Detection AppSensor defines over 50 different detection points which can be used to identify a malicious attacker.
Response AppSensor provides guidance on how to respond once a malicious attacker has been identified. Possible actions include: logging out the user, locking the account or notifying an administrator. More than a dozen response actions are described.
Defending the Application An attacker often requires numerous probes and attack attempts in order to locate an exploitable vulnerability within the application. By using AppSensor it is possible to identify and eliminate the threat of an attacker before they are able to successfully identify an exploitable flaw.

License: Creative Commons Attribution Share Alike 3.0 for documentation & New BSD License for Tools
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: View
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
AppSensor 0.1.3 - Nov 2010 (Tool) & September 2008 (doc) - (download)
Release description: N/A
Rating: Yellow button.JPG Not Reviewed - Assessment Details
last reviewed release
Not Yet Reviewed


other releases


}}