[Owasp-appsensor-project] Response Actions

John Melton jtmelton at gmail.com
Fri Aug 27 09:51:03 EDT 2010


Agreed.  These types of issues seem to already be covered by appsensor.  I
think the core problem he's trying to solve (an attacker locking all users)
is certainly already covered by appsensor well through the trend monitoring
coverage.  The other features (varying # of lockout attempts individually)
are not particularly useful against a script based attack once the attacker
figures out the max # of lockouts is 7 or 5 or whatever it is.  I think
trend monitoring is a much better protection mechanism since it can look at
trends of a single user and / or the entire system.

John

On Fri, Aug 27, 2010 at 5:50 AM, Colin Watson <colin.watson at owasp.org>wrote:

> Hi
>
> I saw mention of a proposed authentication security mechanism on the
> WebSecurity mailing list:
>
>  http://www.webappsec.org/lists/websecurity/archive/2010-08/msg00036.html
>
> Checking out the details to see if the proposed list of Response
> Actions includes everything:
>
> 1) Varying the limit on number of authentication failures before
> lock-out sounds like:
>
>     ASR-D  User Status Change
>     ASR-K  Account Lockout
>
> 2) Adding a CAPTCHA and/or inserting a time delay (at random or of
> random content/delay?) sound like:
>
>    ASR-H  Function Amended
>    ASR-F  Timing Change
>
> On the issue of "can be abused by a bad guy to lock most or all of the
> users by writing a script with all the possible
> permutations and combinations for a username... resulting in a denial
> of service", might be detected by AppSensor's User and System Trend
> Exceptions, with an action targeted at a user (unauthenticated
> session), some users (IP block) or all users.
>
> Colin
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20100827/87fbb195/attachment.html 


More information about the Owasp-appsensor-project mailing list