[Owasp-appsensor-project] AppSensor Response Actions

John Melton jtmelton at gmail.com
Fri Sep 21 20:19:45 UTC 2012


Stephanie,
This is a great question, and probably one that will need to be
decided on a per-organization and even per-application basis.

However, by default, the current implementation evaluates the data on
a per-user basis without considering sessions, ie. the results are not
cleared out on logout/login. That means that either scenario you
presented would produce an intrusion in the current model.

You could certainly write a bit of code to clear out the results for
the user on logout if that's what you decide is appropriate for your
application. I would just consider that an attacker could use that to
his/her advantage by doing, say, 2 bad things, then logout/login, then
2 more bad things, etc. and never reach your thresholds.

Thanks,
John

On Fri, Sep 21, 2012 at 4:10 PM, Stephanie S
<security.stephanie at gmail.com> wrote:
> Hi,
>
> I'm thinking about implementing the concept of AppSensor in my project and
> am wondering about the thresholds for Response Actions.
>
> For example, if a user has had a number of input violation errors that are
> clearly related to attempts to circumvent the application, should the
> internal tracking of this activity be limited to the user's current session?
> Or persist session to session?
>
> For example, if the system has a threshold of 3 violations before logout and
> in the current session the user has had 3 violations, that would constitute
> a logout. But if the user in the current session had 2 violations, logged
> out, then logged back in, and had another violation, should the logout
> occur?
>
> Basically, I'm asking -- is there a recommended basis for interval that this
> occurs? By session or by a time period like 24 hours?
>
> Thanks,
> Stephanie
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>


More information about the Owasp-appsensor-project mailing list