[Owasp-appsensor-dev] AppSensor API Questions (Node.js Demonstration Implementation)

Chetan Karande chetan.karande at owasp.org
Tue Dec 10 01:12:50 UTC 2013


Great. Thanks for the details John.

Chetan
On Dec 9, 2013 2:42 AM, "John Melton" <jtmelton at gmail.com> wrote:

> Chetan,
> Awesome to see what you're coming up with.
>
> With respect to your questions, I responded inline below, but also wanted
> to mention that one task I have for Colin is to give him the minimum json
> structure needed so it can be documented. I'll also put that in the tech
> documentation as well.
>
> Thanks,
> John
>
>
> On Sun, Dec 8, 2013 at 6:07 PM, Chetan Karande <chetan.karande at owasp.org>wrote:
>
>> Hi John,
>>
>> I started exploring the AppSensor code on github and went over the
>> AppSensor Guide document. It helped me in getting more idea about AppSensor
>> in general. I have a few questions for you specifically about approaching
>> Node.js demonstration implementation. Please answer when you get chance:
>>
>> Question 1. As per on our earlier email conversation, I explored more on
>> implementing addEvent() and getResponses() methods in Node.js app. Based
>> on the AppSensor REST Service code on github, I think the service expects
>> client using following endpoints and JSON message structures. Can you
>> please confirm if I am on right track, and answer question highlighted.
>>
>> *addEvent() Implementation:*
>> *======================*
>>
>> *Invoke REST Endpoint:* /api/v1.0/events
>>
>> *Sample Event JSON Object to be sent from the Node.js  App:*
>>
>> {
>> user: {
>> username: ""
>>  ipAddress: ""
>> },
>> detectionPoint : {  // ??? Does Node.js client need to populate this
>> object? If yes, what goes in responses, how to decide threshold?
>>
>
> All that is needed in the detectionPoint object field is the "id" field.
> The rest is found server-side.
>
>  id: "",
>> threshold: "",
>> responses: []
>>  },
>> timestamp: "",
>> detectionSystemId: "",
>>  resource: "",
>> eventType: ""
>>
>> }
>>
>>
>> *getResponses() Implementation:*
>> *=========================*
>>
>> *Poll REST EndPoint URL:* /api/v1.0/responses
>>
>> *Expected Response object from AppSensor REST service:*
>>
>> {
>> id: "",
>> threshold: "",
>>  responses: [
>> {
>> user: {
>> username: "",
>>  ipAddress: ""
>> },
>> action: "",
>>  detectionPoint: {}, //???. It contains responses array again. What to
>> expect in it?
>>
>
> The detection point really shouldn't be part of the response - I'll try to
> remove this from being serialized.
>
>
>>  timestamp: "",
>>  detectionSystemId: "",
>> interval : {
>> duration: "",
>>  unit: 0 //number
>> }
>> },
>> {
>>  //another response
>> }
>> ]
>> }
>>
>> 2. In case multiple responses received as result of invoking
>> *getResponses()*, does order in which actions are performed matter?
>>
>
> Good question that I don't think has been considered before. It shouldn't
> in our case in the reference implementation (unless we add some new
> features), but the timestamp is available, so it's likely best practice to
> execute them in order. I'll add this point to the documentation.
>
>
>>
>> 3. Can I set AppSensor REST Server on my machine and use it for testing
>> Node.js demo implementation? If so, can you please provide me steps to set
>> it up.
>>
>
> Yep, but there's not a project setup to do it yet. I'll try to add a
> sample app for that soon. If you'd like to use it before I get that done,
> have a look at the appsensor-ws-rest-server project and the
> RestRequestHandlerTest class. There is a helper method at the bottom of the
> class (startServer) that runs the service on grizzly. You can call that in
> a main method to get a small simple server going for testing.
>
>
>> Just to share, I am exploring to retrofit ghost <https://ghost.org/>, an
>> open-source Node.js based blogging platform for AppSensor demonstration
>> implementation. I am working on getting familiar with its code and identify
>> detection points.
>>
>
> That's an awesome project. Adding security to existing popular platforms
> has been a goal for OWASP for some time - nice to see progress here.
>
>
>>
>> Best Regards,
>>
>> Chetan Karande
>>
>> chetan.karande at owasp.org
>>
>> OWASP NYC Local Chapter <https://www.owasp.org/index.php/NYC>
>>
>> Open Web Application Security Project<https://www.owasp.org/index.php/Main_Page>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-appsensor-dev/attachments/20131209/162992ef/attachment.html>


More information about the Owasp-appsensor-dev mailing list