[Owasp-appsensor-dev] AppSensor API Questions (Node.js Demonstration Implementation)

John Melton jtmelton at gmail.com
Mon Dec 9 07:42:36 UTC 2013


Chetan,
Awesome to see what you're coming up with.

With respect to your questions, I responded inline below, but also wanted
to mention that one task I have for Colin is to give him the minimum json
structure needed so it can be documented. I'll also put that in the tech
documentation as well.

Thanks,
John


On Sun, Dec 8, 2013 at 6:07 PM, Chetan Karande <chetan.karande at owasp.org>wrote:

> Hi John,
>
> I started exploring the AppSensor code on github and went over the
> AppSensor Guide document. It helped me in getting more idea about AppSensor
> in general. I have a few questions for you specifically about approaching
> Node.js demonstration implementation. Please answer when you get chance:
>
> Question 1. As per on our earlier email conversation, I explored more on
> implementing addEvent() and getResponses() methods in Node.js app. Based
> on the AppSensor REST Service code on github, I think the service expects
> client using following endpoints and JSON message structures. Can you
> please confirm if I am on right track, and answer question highlighted.
>
> *addEvent() Implementation:*
> *======================*
>
> *Invoke REST Endpoint:* /api/v1.0/events
>
> *Sample Event JSON Object to be sent from the Node.js  App:*
>
> {
> user: {
> username: ""
>  ipAddress: ""
> },
> detectionPoint : {  // ??? Does Node.js client need to populate this
> object? If yes, what goes in responses, how to decide threshold?
>

All that is needed in the detectionPoint object field is the "id" field.
The rest is found server-side.

 id: "",
> threshold: "",
> responses: []
>  },
> timestamp: "",
> detectionSystemId: "",
>  resource: "",
> eventType: ""
>
> }
>
>
> *getResponses() Implementation:*
> *=========================*
>
> *Poll REST EndPoint URL:* /api/v1.0/responses
>
> *Expected Response object from AppSensor REST service:*
>
> {
> id: "",
> threshold: "",
>  responses: [
> {
> user: {
> username: "",
>  ipAddress: ""
> },
> action: "",
>  detectionPoint: {}, //???. It contains responses array again. What to
> expect in it?
>

The detection point really shouldn't be part of the response - I'll try to
remove this from being serialized.


>  timestamp: "",
>  detectionSystemId: "",
> interval : {
> duration: "",
>  unit: 0 //number
> }
> },
> {
>  //another response
> }
> ]
> }
>
> 2. In case multiple responses received as result of invoking
> *getResponses()*, does order in which actions are performed matter?
>

Good question that I don't think has been considered before. It shouldn't
in our case in the reference implementation (unless we add some new
features), but the timestamp is available, so it's likely best practice to
execute them in order. I'll add this point to the documentation.


>
> 3. Can I set AppSensor REST Server on my machine and use it for testing
> Node.js demo implementation? If so, can you please provide me steps to set
> it up.
>

Yep, but there's not a project setup to do it yet. I'll try to add a sample
app for that soon. If you'd like to use it before I get that done, have a
look at the appsensor-ws-rest-server project and the RestRequestHandlerTest
class. There is a helper method at the bottom of the class (startServer)
that runs the service on grizzly. You can call that in a main method to get
a small simple server going for testing.


> Just to share, I am exploring to retrofit ghost <https://ghost.org/>, an
> open-source Node.js based blogging platform for AppSensor demonstration
> implementation. I am working on getting familiar with its code and identify
> detection points.
>

That's an awesome project. Adding security to existing popular platforms
has been a goal for OWASP for some time - nice to see progress here.


>
> Best Regards,
>
> Chetan Karande
>
> chetan.karande at owasp.org
>
> OWASP NYC Local Chapter <https://www.owasp.org/index.php/NYC>
>
> Open Web Application Security Project<https://www.owasp.org/index.php/Main_Page>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-dev/attachments/20131209/604d5105/attachment.html>


More information about the Owasp-appsensor-dev mailing list