[Owasp-appsensor-project] AppSensor- a few ideas

Michael Coates michael.coates at owasp.org
Fri Sep 18 10:30:31 EDT 2009


Thanks for your ideas. Sorry for the slow reply, I have been out of the
country and am now catching up on emails.


1- Detecting if users are coming from blacklisted ip. For his HTTP BL can be
queried. http://www.projecthoneypot.org/httpbl.php
2. Detecting if users are coming from Tor. If yes, more restrictive controls
can be activated as there are more chances that users could be defecting.

I think this is a good idea. I would adopt such a strategy when the
AppSensor has a second mode for "suspicious" users.  I think it would be
great to be able to classify a user as suspicious based on actions which may
not be clearly malicious, but still odd, or because they are originating
from a suspicious IP or TOR as you mentioned.  The idea of adding more
restrictive controls or monitoring is good.


3. Also, in SE5 (Source IP Address Changes During Session), It is mentioned
that *"it may be safe to flag events if the IP address changes to one which
is located in a different country than the previous request." * think it
will be more useful (and precise) to block session duplication from requests
coming in from a different ASN
<http://www.apnic.net/services/services-apnic-provides/helpdesk/faqs/asn-faqs>.


I agree. I will add this to the next version

4. It will also be useful if user input is automatically checked against
Google Safebrowsing  (GSB) DB. Many a times, malicious users host their
payload on different networks and provide link to them on portals (social
networking sites, blog comments etc). There are good chances that payload
could be detected by GSB and hence it makes sense that if users is
submitting some data (usually through HTTP forms), just scan data for link
and then look-up that link in GSB DB.

This is a cool idea. So if I understand correctly anytime user data is
accepted then AppSensor would scan that data for URLs. If any URLs are
found, AppSensor would consult GSB before allowing the data to pass. If GSB
says its a dangerous link then this would be an exception.  Am I
understanding correctly?  If so, I think that is a great idea.


Thanks for your suggestions. Please keep them coming!

Michael Coates
OWASP Global Membership Committee
AppSensor Project Lead


On Tue, Sep 8, 2009 at 6:49 PM, Gaurav Kumar <gk at pivotalsecurity.com> wrote:

> Hi Micahel!
> First of all congratulation on creating AppSensor. Someday, it will be
> standard used by all WAFs :)
>
> I was wondering if additions/updates below will help AppSensor :
>
> 1- Detecting if users are coming from blacklisted ip. For his HTTP BL can
> be queried. http://www.projecthoneypot.org/httpbl.php
>
> 2. Detecting if users are coming from Tor. If yes, more restrictive
> controls can be activated as there are more chances that users could be
> defecting.
>
> 3. Also, in SE5 (Source IP Address Changes During Session), It is mentioned
> that *"it may be safe to flag events if the IP address changes to one
> which is located in a different country than the previous request." * think
> it will be more useful (and precise) to block session duplication from
> requests coming in from a different ASN <http://www.apnic.net/services/services-apnic-provides/helpdesk/faqs/asn-faqs>
> .
>
> 4. It will also be useful if user input is automatically checked against
> Google Safebrowsing  (GSB) DB. Many a times, malicious users host their
> payload on different networks and provide link to them on portals (social
> networking sites, blog comments etc). There are good chances that payload
> could be detected by GSB and hence it makes sense that if users is
> submitting some data (usually through HTTP forms), just scan data for link
> and then look-up that link in GSB DB.
>
> Let me know your thoughts on above.
>
> Cheers,
> GK
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20090918/45aaeb08/attachment.html 


More information about the Owasp-appsensor-project mailing list