[Owasp-appsensor-project] Change to Detection Points - ACE3 Force Browsing Attempts

Colin Watson colin.watson at owasp.org
Wed Jun 9 10:34:53 EDT 2010


Suggestion to CHANGE an existing detection point.  Has this already
been ruled out?  Should it be changed?

Source
-----------------------------------
Just another idea

Description
-----------------------------------
Request for non-existent resources should include all content types,
not just pages.  It is also useful to record this for unauthenticated
users where the data may still be identified with a session or IP
address.

1. Leave name unchanged (i.e. keep as "Force Browsing Attempts")

2. Change description to "Authenticated or unauthenticated user sends
a request for a non-existent resource (e.g. page, directory listing,
image, file, etc), or a resource that is not authorized for that user"


More information about the Owasp-appsensor-project mailing list