[Owasp-appsensor-project] how to detect if a detection point is created and sone other questions

Dennis Groves dennis.groves at gmail.com
Mon Mar 11 15:55:31 UTC 2013


On 11 Mar 2013, at 15:37, santosh kumar wrote:

> IP address information is not at all sufficient for user 
> identification.

This is the key requirement - **sufficient identification**

> Of course, an user may user different systems for accessing an 
> application.

Of course!

> Instead a two level security check can incorporated to give the access
> which can avoid unauthenticated entry into the application.

We are not doing authentication nor access control. What we are doing 
does not require positive identification. All that is required is just 
enough information for creating AppSensor 'detection points'

For example - if you have the 33 bits of information about all 
authenticated users; and you hashed that information and compared it to 
a hash of of the 33 bits of information about anybody who is attempting 
to log into the site - you now have enough information to know 
statistically if you have a new user, or a returning user with a high 
degree of certainty.

Of course nothing is perfect; I myself travel the world and google 
always fails to get my language settings correct despite my having 
literally set them in my profile.

Nevertheless, I have no doubt that my 21.4 bits of entropy give you far 
more information about me as a person than any IP address ever would - 
despite my changing localities all the time. And that information is 
more than enough to make decisions about me with the OWASP AppSensor.

E.g. If my 21.4 bits of entropy attempt to hack you with say a SQLi - 
you can likely ban my 21.4 bits of entropy at the application for 4 
hours with a great deal more success and less side effects than my IP 
address (current 'best practice') and the entire point of the OWASP 
AppSensor concept.

Does this make sense to you Santosh?

Dennis

-- 
[Dennis Groves](http://about.me/dennis.groves), MSc
[Email me](mailto:dennis.groves at owasp.org) or [schedule a 
meeting](http://goo.gl/8sPIy).

*This email is licensed under a [CC BY-ND 
3.0](http://creativecommons.org/licenses/by-nd/3.0/deed.en_GB) license.*

**Please do not send me Microsoft Office/Apple iWork documents.**
Send [OpenDocument](http://fsf.org/campaigns/opendocument/) instead!
Stand up for your freedom to install [free 
software](http://www.fsf.org/campaigns/secure-boot/statement).

> The idea that some lives matter less is the root of all that’s wrong 
> with the world. -- Paul Farmer


More information about the Owasp-appsensor-project mailing list