[Owasp-appsensor-project] AppSensor Feedback/Ideas

Colin Watson colin.watson at owasp.org
Sat Nov 21 13:32:39 EST 2009


Alex

I like the idea of unexpected common usernames (wrong key used in the
AppSensor defending banks and stores analogy) and fake parameters
(small shiny goos in the shop with alarm tags in them).

But you reminded me to write something up which I mentioned in passing
to Michael Coates.

In a previous discussion I'd mentioned the concept of having sensor
input from other locations such as the web server, WAF, XML firewall,
etc that could add to knowledge about the actions of a particular
user.  But on the way to AppSec DC I read the specification for
Firefox's Content Security Policy.  There is a violation report
syntax:

https://wiki.mozilla.org/Security/CSP/Spec#Violation_Report_Syntax

which can be used by the user agent to send an XML report back to the
content provider.  Perhaps another potential optional sensor feed?

Colin


More information about the Owasp-appsensor-project mailing list