[Owasp-appsensor-project] Response Actions
John Melton
jtmelton at gmail.com
Fri Aug 27 09:51:03 EDT 2010
Agreed. These types of issues seem to already be covered by appsensor. I
think the core problem he's trying to solve (an attacker locking all users)
is certainly already covered by appsensor well through the trend monitoring
coverage. The other features (varying # of lockout attempts individually)
are not particularly useful against a script based attack once the attacker
figures out the max # of lockouts is 7 or 5 or whatever it is. I think
trend monitoring is a much better protection mechanism since it can look at
trends of a single user and / or the entire system.
John
On Fri, Aug 27, 2010 at 5:50 AM, Colin Watson <colin.watson at owasp.org>wrote:
> Hi
>
> I saw mention of a proposed authentication security mechanism on the
> WebSecurity mailing list:
>
> http://www.webappsec.org/lists/websecurity/archive/2010-08/msg00036.html
>
> Checking out the details to see if the proposed list of Response
> Actions includes everything:
>
> 1) Varying the limit on number of authentication failures before
> lock-out sounds like:
>
> ASR-D User Status Change
> ASR-K Account Lockout
>
> 2) Adding a CAPTCHA and/or inserting a time delay (at random or of
> random content/delay?) sound like:
>
> ASR-H Function Amended
> ASR-F Timing Change
>
> On the issue of "can be abused by a bad guy to lock most or all of the
> users by writing a script with all the possible
> permutations and combinations for a username... resulting in a denial
> of service", might be detected by AppSensor's User and System Trend
> Exceptions, with an action targeted at a user (unauthenticated
> session), some users (IP block) or all users.
>
> Colin
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20100827/87fbb195/attachment.html
More information about the Owasp-appsensor-project
mailing list