[Owasp-appsensor-project] AppSensor Feedback/Ideas

Alex Lauerman alex.lauerman at gmail.com
Sat Nov 21 11:02:45 EST 2009


I just listened to the OWASP Podcast and I really like where this project is
headed!  I've thought about this a lot and I believe there is a huge amount
of value in this kind of defense.  The detection methods don't need to be
very complex to work; I bet you could detect me, as an attacker, by only
monitoring one or two parameters.  AppSensor seems like it would be worth
the development effort for just about every sensitive application.

A coworker of mine tested an application once that locked out his account
every time it detected malicious input.  I think he pretty much was limited
to acting as a normal user and only passively looking for vulnerabilities
(e.g., logic flaws, not using SSL, HTTPOnly not set, etc.).

One more detection point you could add is a list of common usernames that do
not exist in the application.  For example, the AppSensor would detect an
attack when I tried to log in as "administrator" and "admin", because those
are not real usernames for this application.

Another detection idea is to insert fake parameters (e.g. uID=0), to see if
they are ever modified.  This is more of a honey pot approach, but I guess
you don't need to detect every attack, just one (good is the enemy of
great).

Have you considered integrating this with ESAPI?  It seems like you could
tie AppSensor in with the ESAPI functions to detect a lot of these attacks
without modifying the code (assuming the application was developed using
ESAPI).

I'd love to help out with this project, although I am very busy right now.
Let me know if there is anything I can do to help, otherwise I will plan on
lurking on the mailing list.

-Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20091121/07bed9f8/attachment.html 


More information about the Owasp-appsensor-project mailing list