[Owasp-appsensor-project] AppSensor Response Actions
jtmelton at gmail.com
Fri Sep 21 20:19:45 UTC 2012
This is a great question, and probably one that will need to be
decided on a per-organization and even per-application basis.
However, by default, the current implementation evaluates the data on
a per-user basis without considering sessions, ie. the results are not
cleared out on logout/login. That means that either scenario you
presented would produce an intrusion in the current model.
You could certainly write a bit of code to clear out the results for
the user on logout if that's what you decide is appropriate for your
application. I would just consider that an attacker could use that to
his/her advantage by doing, say, 2 bad things, then logout/login, then
2 more bad things, etc. and never reach your thresholds.
On Fri, Sep 21, 2012 at 4:10 PM, Stephanie S
<security.stephanie at gmail.com> wrote:
> I'm thinking about implementing the concept of AppSensor in my project and
> am wondering about the thresholds for Response Actions.
> For example, if a user has had a number of input violation errors that are
> clearly related to attempts to circumvent the application, should the
> internal tracking of this activity be limited to the user's current session?
> Or persist session to session?
> For example, if the system has a threshold of 3 violations before logout and
> in the current session the user has had 3 violations, that would constitute
> a logout. But if the user in the current session had 2 violations, logged
> out, then logged back in, and had another violation, should the logout
> Basically, I'm asking -- is there a recommended basis for interval that this
> occurs? By session or by a time period like 24 hours?
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
More information about the Owasp-appsensor-project