[Owasp-appsensor-dev] AppSensor API Questions (Node.js Demonstration Implementation)

Chetan Karande chetan.karande at owasp.org
Sun Dec 8 23:07:06 UTC 2013


Hi John,

I started exploring the AppSensor code on github and went over the
AppSensor Guide document. It helped me in getting more idea about AppSensor
in general. I have a few questions for you specifically about approaching
Node.js demonstration implementation. Please answer when you get chance:

Question 1. As per on our earlier email conversation, I explored more on
implementing addEvent() and getResponses() methods in Node.js app. Based on
the AppSensor REST Service code on github, I think the service expects
client using following endpoints and JSON message structures. Can you
please confirm if I am on right track, and answer question highlighted.

*addEvent() Implementation:*
*======================*

*Invoke REST Endpoint:* /api/v1.0/events

*Sample Event JSON Object to be sent from the Node.js  App:*

{
user: {
username: ""
ipAddress: ""
},
detectionPoint : {  // ??? Does Node.js client need to populate this
object? If yes, what goes in responses, how to decide threshold?
id: "",
threshold: "",
responses: []
},
timestamp: "",
detectionSystemId: "",
resource: "",
eventType: ""

}


*getResponses() Implementation:*
*=========================*

*Poll REST EndPoint URL:* /api/v1.0/responses

*Expected Response object from AppSensor REST service:*

{
id: "",
threshold: "",
responses: [
{
user: {
username: "",
ipAddress: ""
},
action: "",
detectionPoint: {}, //???. It contains responses array again. What to
expect in it?
timestamp: "",
detectionSystemId: "",
interval : {
duration: "",
unit: 0 //number
}
},
{
//another response
}
]
}

2. In case multiple responses received as result of invoking
*getResponses()*, does order in which actions are performed matter?

3. Can I set AppSensor REST Server on my machine and use it for testing
Node.js demo implementation? If so, can you please provide me steps to set
it up.

Just to share, I am exploring to retrofit ghost <https://ghost.org/>, an
open-source Node.js based blogging platform for AppSensor demonstration
implementation. I am working on getting familiar with its code and identify
detection points.

Best Regards,

Chetan Karande

chetan.karande at owasp.org

OWASP NYC Local Chapter <https://www.owasp.org/index.php/NYC>

Open Web Application Security Project<https://www.owasp.org/index.php/Main_Page>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-dev/attachments/20131208/5dfed84f/attachment.html>


More information about the Owasp-appsensor-dev mailing list