[Owasp-appsensor-project] Additional Detection Points - Detect Client Information

Ryan Barnett rcbarnett at gmail.com
Fri Jun 11 17:07:44 EDT 2010


Also related to the previous email that I just sent about Fraud Detection/Session 
Hijacking and what is presented here.  I think that this concept could be used also as a 
detection point by sending javascript that will do browser fingerprinting and send back a 
HASH to tracking (think a CSRF token but that the hash is based on some browser data).  

Check out the Javascript Browser Fingerprinting demo   - 
http://www.businessinfo.co.uk/labs/probe/probe.php

This seems to be perhaps another (better?) solution for identifying session hijacking 
without having to rely upon IP address.

--
Ryan C. Barnett
WASC Web Hacking Incident Database Project Leader
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com

On Friday 11 June 2010 04:36:19 Colin Watson wrote:
> Michael and John
> 
> I agree - not a new detector then.  I'll make some scribblings about
> alternative response actions.
> 
> Colin
> 
> On 11 June 2010 00:13, Michael Coates <michael.coates at owasp.org> wrote:
> > Agreed. This is a response action not a detection point. (But it is a
> > good idea for a response action)
> > 
> > Michael Coates
> > OWASP
> > 
> > On 6/9/10 7:18 PM, John Melton wrote:
> > 
> > I'm against this as a detection point.  It actually sounds like a
> > response action in our lingo.  This is about what do *I* do if I've
> > decided that the user has passed my threshold, not what did the *user*
> > do to pass my threshold.  Don't think this fits the detection point
> > category.
> > 
> > On Wed, Jun 9, 2010 at 10:34 AM, Colin Watson <colin.watson at owasp.org>
> > 
> > wrote:
> >> Suggestion to add a new detection point.  Has this already been ruled
> >> out?  Should it be added?  Is the description/categorization suitable?
> >> 
> >> Source
> >> -----------------------------------
> >> Just another idea - this one could be the most controversial since it
> >> might be seen as an active attack on the user.  The idea is
> >> information gathering rather than electronic counter measures.  After
> >> all, logging a user out also affects them.
> >> 
> >> Description
> >> -----------------------------------
> >> At a certain threshold, deploy additional sensor(s) onto the client
> >> such as. a Java applet to return the client's IP address,  JavaScript
> >> to collect additional data about the user's environment (e.g.
> >> Panopticlick http://panopticlick.eff.org/), or JavaScript to detect
> >> local network information.  These actions must be consistent with the
> >> application's terms of use, privacy notice and organizational
> >> mandates.
> >> 
> >> Suggested categorization
> >> -----------------------------------
> >> In the suggested new category "Reputation" (see RP1 Suspicious User IP
> >> Address)
> >> RP6 Detect Client Information
> >> 
> >> *** This may instead be an AppSensor response action, even thought it
> >> is deploying a new sensor ? ****
> >> _______________________________________________
> >> Owasp-appsensor-project mailing list
> >> Owasp-appsensor-project at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
> > 
> > _______________________________________________
> > Owasp-appsensor-project mailing list
> > Owasp-appsensor-project at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
> 
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20100611/e06c623c/attachment-0001.html 


More information about the Owasp-appsensor-project mailing list