[Owasp-appsensor-project] New Unexpected Type/Quantity Detection Points
Colin Watson
colin.watson at owasp.org
Fri Jan 28 08:03:58 EST 2011
Added:
http://www.owasp.org/index.php/AppSensor_DetectionPoints#RE7:_Unexpected_Quantity_of_Characters_in_Parameter
http://www.owasp.org/index.php/AppSensor_DetectionPoints#RE8:_Unexpected_Type_of_Characters_in_Parameter
http://www.owasp.org/index.php/OWASP_AppSensor_Project#tab=Detection_Points
Colin
On 2 November 2010 07:39, Colin Watson <colin.watson at owasp.org> wrote:
> Ryan
>
> I think these are worth adding. They are more general cases of the
> AuthenticationException ones. It is good to have both since
> thresholds and responses may be different.
>
> I have a chart of relationships between detection points in my
> presentation next week at AppSec DC 2010. RE7 and RE8 won't be on it
> though!
>
> Colin
>
> On 1 November 2010 18:47, Ryan Barnett <rcbarnett at gmail.com> wrote:
>> I suggest that we add a new Detection Point in the RequestException category
>> similar to the following AuthenticationException ones -
>>
>> 2.2.4 AE4: Unexpected Quantity of Characters in Username
>> <http://www.owasp.org/index.php/AppSensor_DetectionPoints#AE4:_Unexpected_Quantity_of_Characters_in_Username>
>> 2.2.5 AE5: Unexpected Quantity of Characters in Password
>> <http://www.owasp.org/index.php/AppSensor_DetectionPoints#AE5:_Unexpected_Quantity_of_Characters_in_Password>
>> 2.2.6 AE6: Unexpected Type of Character in Username
>> <http://www.owasp.org/index.php/AppSensor_DetectionPoints#AE6:_Unexpected_Type_of_Character_in_Username>
>> 2.2.7 AE7: Unexpected Type of Character in Password
>> <http://www.owasp.org/index.php/AppSensor_DetectionPoints#AE7:_Unexpected_Type_of_Character_in_Password>
>>
>> Instead of only focusing in on username/password parameters, the detection
>> should be something like -
>>
>> 2.1.7 RE7: Unexpected Quantity of Characters in Parameter
>> 2.1.8 RE8: Unexpected Type of Characters in Parameter
>>
>> BTW – I am working on these types of application profiling/learning
>> detection points for additions to the ModSecurity CRS.
>>
>> -Ryan
>>
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>
>>
>
More information about the Owasp-appsensor-project
mailing list