[Owasp-appsensor-project] Response Actions

Colin Watson colin.watson at owasp.org
Fri Aug 27 05:50:16 EDT 2010


Hi

I saw mention of a proposed authentication security mechanism on the
WebSecurity mailing list:

  http://www.webappsec.org/lists/websecurity/archive/2010-08/msg00036.html

Checking out the details to see if the proposed list of Response
Actions includes everything:

1) Varying the limit on number of authentication failures before
lock-out sounds like:

     ASR-D  User Status Change
     ASR-K  Account Lockout

2) Adding a CAPTCHA and/or inserting a time delay (at random or of
random content/delay?) sound like:

    ASR-H  Function Amended
    ASR-F  Timing Change

On the issue of "can be abused by a bad guy to lock most or all of the
users by writing a script with all the possible
permutations and combinations for a username... resulting in a denial
of service", might be detected by AppSensor's User and System Trend
Exceptions, with an action targeted at a user (unauthenticated
session), some users (IP block) or all users.

Colin


More information about the Owasp-appsensor-project mailing list