[Owasp-appsensor-project] New Detection Point Candidate: UT5: Inter-Request Latency Threshold Violation
colin.watson at owasp.org
Fri Sep 30 11:52:43 EDT 2011
Sorry I hadn't read this before I suggested the previous suggestion to be UT5!
I sort of feel this is just a great example of UT2, and could be
"example 5" there. What does everyone else think?
On 30 September 2011 16:39, Ryan Barnett <ryan.barnett at owasp.org> wrote:
> This detection point may be related to UT2 however it isn't specifically
> The concept is that normal/real users have an amount of delay between
> requesting dynamic resources as they need time to read the pages and fill in
> FORM elements, etc… So this detection point would be measuring the time
> interval between the application sending back a web page with form elements
> and when the application then receives a follow-up request with parameters.
> I have conducted some minimal testing with this concept and ModSecurity and
> have found that it also catches many CSRF attacks as it forces the user's
> browser to send an immediate request back to the server once the html page
> loads and the user's browser is tricked into executing the CSRF code. See
> the last section here
> - http://blog.spiderlabs.com/2011/01/detecting-malice-with-modsecurity-csrf-attacks.html
> Thoughts? Should this be a stand-alone detection point or perhaps listed as
> a subsection of UT2?
> Ryan Barnett
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
More information about the Owasp-appsensor-project