[Owasp-appsensor-project] Recommend a new reference link for RP3: Suspicious Client-Side Behavior

Colin Watson colin.watson at owasp.org
Fri Aug 16 14:43:40 UTC 2013

Added to RP3 on the wiki (and in the draft v2 Guide book).


On 12 July 2013 09:43, Colin Watson <colin.watson at owasp.org> wrote:
> Ryan
> Yes, clever technique. I think this should be mentioned, but maybe
> better as a new "Example 6".
> Colin
> On 11 July 2013 10:27, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>> I wanted to share a blog post I did yesterday that would be a good reference
>> for Example 5 of RP3: Suspicious Client-side Behavior -
>> https://www.owasp.org/index.php/AppSensor_DetectionPoints#RP3:_Suspicious_Client-Side_Behavior
>> Here is the blog post -
>> http://blog.spiderlabs.com/2013/07/modsecurity-advanced-topic-of-the-week-detecting-banking-trojan-page-modifications.html
>> It uses ModSecurity to send down defensive JS code when banking clients
>> access the login page.  The JS code will then initiate an XHR request back
>> to the app for the same page.  This time, however, ModSecurity creates a
>> Hash of the valid response body and adds this as a new response header
>> called "WebTripWireHash".  When the XHR response is received, the JS code
>> then locally calculates another Hash and compares it with the
>> WebTripWireHash value sent by ModSecurity.  If a baning trojan has modified
>> the login page HTML to attempt to phish extra data from the user then this
>> will catch it.  The JS code then issues an alert pop-up warning the user and
>> sends another XHR request back to the web server/ModSecurity to notify of
>> the issue.  This is somewhat similar in theory to a CSP violation report
>> request.
>> This may be a good reference link to include for Example 5.
>> Thoughts/Comments?
>> -Ryan
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project

More information about the Owasp-appsensor-project mailing list