[Owasp-appsensor-project] Interesting article - sounds like appsensor

Colin Watson colin.watson at owasp.org
Tue Jun 22 09:30:19 EDT 2010

Michael, Simon and Ryan

Perhaps a separate category (HT) is best - these relate to detectors
at points where normal application use would never reach.

I wonder if the proposed HT1 is just one example of a more general
case?  Something not required by the application, but MODIFIED by the
user.  HT2 might then be something different like a resource not
used/needed by the application, but VISITED by the user?  Then perhaps
HT3 to cover things like fake passwords in comment tags used elsewhere
(bait), or is that just another example of HT2?

The items then fall into these:

HT1 - Modification of honey trap data
Simon's example plus SANS items 3 and 6

HT2 - Visit to honey trap resource
SANS items 2 and 4

HT3 - Honey trap bait(data?) used
SANS item 5

I'm not sure if SANS item 1 fits in here at all.


On 21 June 2010 17:54, Michael Coates <michael.coates at owasp.org> wrote:
> I think this is a good idea. I'm looking for name suggestions for the
> category name. I like having two words so we can abbreviate down to two
> letters. These items will be listed in our detection point document, but not
> initially supported in the AppSensor code
> HoneyTrap
> HackerTrap
> HT1 - Modification of honey trap hidden field
> Description: A non-functional hidden field is added to the application with
> the specific purpose of detecting a potentially malicious. This detection
> point will fire anytime the honey trap hidden field is modified.
> Example: A hidden field is used with the title "admin" and is set to
> "false". If the application ever receives a value other than "false" then
> the detection point should fire.
> HT2 - More from here
> http://blogs.sans.org/appsecstreetfighter/2009/06/04/my-top-6-honeytokens/
> (thanks ryan)
> Thoughts?
> Michael Coates
> On 6/17/10 12:17 AM, Bennetts, Simon wrote:
>> Re the 'mini honeypots': that would be me then :)
>> Been lurking on this list for a while, but not had a chance to contribute
>> anything.
>> Looking at the list of detection points I'd like to propose another one.
>> As I mentioned in the Newcastle talk I put hidden fields in some forms
>> which look like potential vulnerabilities.
>> For example you could have "admin" set to "false".
>> Of course these sort of fields are really 'hacker traps' - they can never
>> be changed by any normal user actions.
>> If they are changed then its a very good indication that someone is trying
>> to attack your app.
>> I realise that you could class these in the existing ACE* set, but
>> personally I think its work having a specific new point, if only to promote
>> the idea of putting such 'traps' in for hackers.
>> And thanks for the talks Conlin, both very interesting.
>> Cheers,
>> Simon
>> ________________________________________
>> From: owasp-appsensor-project-bounces at lists.owasp.org
>> [owasp-appsensor-project-bounces at lists.owasp.org] On Behalf Of Colin Watson
>> [colin.watson at owasp.org]
>> Sent: 16 June 2010 17:49
>> To: Michael Coates
>> Cc: owasp-appsensor-project
>> Subject: Re: [Owasp-appsensor-project] Interesting article - sounds like
>>      appsensor
>> No don't know him.
>> The AppSensor talk at OWASP Leeds/North in Newcastle, UK went down
>> very well this evening.  Lots of interest.  One guy already using mini
>> honeypots in their apps (checking for modification to otherwise
>> useless hidden fields).
>> Colin
>> On 16 June 2010 19:15, Michael Coates<michael.coates at owasp.org>  wrote:
>>> Actually it does.  I'd like to introduce the AppSensor project to Dave
>>> Aitel.  Does anyone know him and would be willing to pass along this info
>>> or
>>> introduce us?
>>> Michael Coates
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>> If you've received this email by mistake, we're sorry for bothering you.
>> It may contain information that's confidential, so please delete it without
>> sharing it. And if you let us know, we can try to stop it from happening
>> again. Thank you.
>> We may monitor any emails sent or received by us, or on our behalf. If we
>> do, this will be in line with relevant law and our own policies.
>> Sage (UK) Limited. Registered in England at North Park, Newcastle upon
>> Tyne, NE13 9AA. Registered number 1045967.
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project

More information about the Owasp-appsensor-project mailing list