[Owasp-appsensor-project] how to detect if a detection point is created and sone other questions

Ryan Barnett ryan.barnett at owasp.org
Mon Mar 11 16:50:21 UTC 2013


On Mon, Mar 11, 2013 at 6:08 AM, Dennis Groves <dennis.groves at gmail.com>wrote:

> On 11 Mar 2013, at 1:14, panos wrote:
>
> Yes random username isn't so good idea actually is very bad idea.I thought
> of getting the IP and giving it as username for example "Ano192.168.1.1". I
> think that something like this it will work. I'll try it.
>
> One of the issues is the concept of identity, it only takes 32 bits of
> information to identify somebody<https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy>.
> IP Address is certainly not enough and unsurprisingly you can easily gather
> enough information to have very high confidence in identity without any
> username or password.
>
> And you will most certainly you will have enough information to make a
> Baysian decision (how likely is it this identity is being hostile?) based
> on the behaviour of that identity (33 bits) for AppSensor. I suggest that
> anybody who doesn't surrender the '33 bits' is perhaps automatically
> suspect since they fall outside your standard deviation model of users.
>
> Dennis
>
>
> I show some examples of similar approaches in Recipe 8-5: Detecting
Browser Fingerprint Changes During Sessions of my book -
http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118362187,descCd-tableOfContents.html


This uses JS code to send to the browser, it then calculates a hash of the
browser fingerprint and then adds it as a cookie value.  This is then saved
server side in the SessionID collection.  This way you can track the
unauthenticated user by their browser fingerprint.

-Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20130311/ab39e290/attachment-0001.html>


More information about the Owasp-appsensor-project mailing list