[Owasp-appsensor-project] how to detect if a detection point is created and sone other questions

John Melton jtmelton at gmail.com
Mon Mar 11 00:27:45 UTC 2013


This concept doesn't really make sense to me, but I suppose it could work.
The important piece is having some way of ensuring the same "user" is
assigned to Bob every time. If it's all in one session, that's probably not
an issue, but on repeated visits, you'd need some method of correlation,
like the IP address I mentioned earlier or some other mechanism. The other
issue with using a random username is that you don't really know what that
represents. You should try to use something identifiable.

Thanks,
John


On Sun, Mar 10, 2013 at 6:58 PM, panos <panosx13 at gmail.com> wrote:

> **
> Actually I want to blog malicious users, who are trying for example
> bruteforcing the login.
>
> I thought something and I would like to ask you to advice me.
>
> If in the login page when a user visits it, is it possible to create an
> Appsensor user without the users who visits the login page do nothing and
> knows about it?
>
> For example if I visit a page a random username is picked up and an
> Appsensor user lets say bob is created.
>
> So the user that visits the login page is not anonymous but bob. So I
> think that Appsensor can disable the access ?
>
> My questions mow:  Do you think that a scenario like this can work and
> help me disabling access to anonymous?
>
>
>
>
>
>
>
>
> On 03/09/2013 03:53 AM, John Melton wrote:
>
>   Panos,
> Great questions.
>
>  There is no mechanism for checking if a detection point has been
> triggered. Depending on your needs, you could do it via the boolean setting
> you mentioned or possibly by wrapping the intrusion detector with your own
> custom class and attaching observers for notification if you wanted that
> feature. Note however that this only informs you that a detection point has
> been triggered. You'd have to determine the detection point by examining
> the "code", ie AE8. Also note this is not a GUID, ie. multiple of these
> could be fired.
>
>  As for checking which was the last response action executed, you could do
> something like the following:
>
> APPSENSOR.intrusionStore().getIntrusionRecordForUser(yourUserHere).getLastResponseAction("AE8");
>
>  As for working with anonymous users, there's currently only support for
> logging really. You could augment the system to do certain things based on
> IP or other identifiers, but it would require you to extend our system.
> This is one of the challenges I'm trying to tackle in version 2 of the
> code, which I'm currently working on.
>
> Thanks,
> John
>
>
> On Fri, Mar 8, 2013 at 6:21 PM, panos <panosx13 at gmail.com> wrote:
>
>> Hello,
>>
>> I was wondering if there is a way to detect in my code if a detection
>> point is created.
>>
>> For example i have the code
>>
>> if ( checkIntrution() )
>> {
>>     new AppSensorException("AE8", "Providing Only the Username ",
>> "Provided Only the Username");
>> }
>>
>> and I want in my code to check if the AE8 has been created is there any
>> solution using only the Appsensor API?
>>
>> alternatively I have thought I way with a boolean variable
>>
>> for example
>>
>> boolean isCreated=false;
>> if ( checkIntrution() )
>> {
>>     new AppSensorException("AE8", "Providing Only the Username ",
>> "Provided Only the Username");
>>     isCreated=true;
>> }
>>
>> ....
>>
>> if( isCreated )
>> {
>> ....
>> }
>>
>>
>> Also I was wondering if there is a solution on detecting in which action
>> is a Detection Point
>>
>> for example lets say that in esapi.properties I have this:
>>
>> IntrusionDetector.AE8.actions=log,logout,disable
>>
>> is there a way to see in which action is a detection point in my source
>> code ? for example I want to check if the action is in logout.
>>
>>
>> Also if a user in not authenticated as I have seen, Appsensor treats him
>> like anonymous and the only action that can be applied in an anonymous is
>> log.
>>
>> is there a solution if I want to disable access to an anonymous?
>>
>> Thanks in advance
>>
>> Panos
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20130310/8dfec62f/attachment.html>


More information about the Owasp-appsensor-project mailing list