Difference between revisions of "Test defenses against application mis-use (OTG-BUSLOGIC-007)"

Jump to: navigation, search
(New content)
(Added CMSS and CAPEC references)
Line 70: Line 70:
* [https://buildsecurityin.us-cert.gov/swa/resilient.html Resilient Software], Software Assurance, US Department Homeland Security
* [https://buildsecurityin.us-cert.gov/swa/resilient.html Resilient Software], Software Assurance, US Department Homeland Security
* [http://csrc.nist.gov/publications/nistir/ir7864/nistir-7864.pdf IR 7684] Common Misuse Scoring System (CMSS), NIST
* [http://capec.mitre.org/ Common Attack Pattern Enumeration and Classification] (CAPEC), The Mitre Corporation
* [[OWASP_AppSensor_Project]]
* [[OWASP_AppSensor_Project]]
* [[:File:Owasp-appensor-guide-v2.doc | AppSensor Guide v2]], OWASP
* [[:File:Owasp-appensor-guide-v2.doc | AppSensor Guide v2]], OWASP

Revision as of 07:40, 15 October 2013

Brief Description

Mis-use of valid functionality, and invalid use, can identify attacks attempting to enumerate the web application, identify weaknesses, and exploit vulnerabilities. Tests should be undertaken to determine whether there are application-layer defensive mechanisms in place to protect the application.


The lack of active defenses allows an attacker (or a tester) to hunt for vulnerabilities without any recourse. The application's owner will thus not know their application is under attack.


An authenticated user undertakes the following (unlikely) sequence of actions:

 1. Attempt to access a file ID their roles is not permitted to download
 2. Substitutes a single tick (') instead of the file ID number
 3. Alters a GET request to a POST
 4. Adds an extra parameter
 5. Duplicates a parameter name/value pair

The application is monitoring mis-use and responds after the 5th event with extremely high confidence the user is an attacker. For example the application:

 Disables critical functionality
 Enables additional authentication steps to the remaining functionality
 Adds time-delays into every request-response cycle
 Begins to record additional data about the user's interactions (e.g. sanitized HTTP request headers, bodies and response bodies)

If the application does not respond in any way and the attacker can continue to abuse functionality and submit clearly malicious content at the application, the application has failed this test case.

In practice the discrete example actions in the example above are unlikely to occur like that. It is much more probable that a fuzzing tool is used to identify weaknesses in each parameter in turn. This is what a security tester will have undertaken too.

Testing Method

This test is unusual in that the result can be drawn from all the other tests performed against the web application. While performing all the other tests, take note of measures that might indicate the application has in-built self-defense:

  • Changed responses
  • Blocked requests
  • Actions that log a user out or lock their account

These may only be localised. Common localized (per function) defenses are:

  • Rejecting input containing certain characters
  • Locking out an account temporarily after a number of authentication failures

Localized security controls are not sufficient. There are often no defenses against general mis-use such as:

  • Forced browsing
  • Bypassing presentation layer input validation
  • Multiple access control errors
  • Additional, duplicated or missing parameter names
  • Multiple input validation or business logic verification failures with values that cannot be the result user mistakes or typos
  • Structured data (e.g. JSPN, XML) of an invalid format is received
  • Blatant cross-site scripting or SQL injection payloads are received
  • Utilising the application faster than would be possible without automation tools
  • Change in continental geo-location of a user
  • Change of user agent
  • Accessing a multi-stage business process in the wrong order
  • Large number of, or high rate of use of, application-specific functionality (e.g. voucher code submission, failed credit card payments, file uploads, file downloads, log outs, etc).

These defenses work best in authenticated parts of the application, although rate of creation of new accounts or accessing content (e.g. to scrape information) can be of use in public areas..

Not all the above need to be monitored by the application, but there is a problem if none of them are. By testing the web application, doing the above type of actions, was any response taken against the tester? If not, the tester should report that the application appears to have no application-wide active defenses against mis-use. Note it is sometimes possible that all responses to attack detection are silent to the user (e.g. logging changes, increased monitoring, alerts to administrators and and request proxying), so confidence in this finding cannot be guarateed. In practice, very few applications (or related infrtastructure such as a web application firewall) are detecting these types of mis-use.

Test Tools

Everything used for the other test cases.

Related Test Cases

All other test cases are relevant.



Build inactive defenses against application mis-use.