[Owasp-leaders] [Owasp-topten] OWASP Top 10 Methodology

Ashish Rao ashish.rao at owasp.org
Thu Mar 14 17:30:59 UTC 2013


Hi,

To add to what Rory mentioned, application developers can take few
precautions when it comes to DoS. After researching from different sources
over the Internet for "programming/coding flaws" that lead to DoS attacks,
I use these list of checks while reviewing applications.

  *Page Name*

*Check*

*Notes*

Registration page

1. Check if there are publically accessible registration pages, without
CAPTCHA



2. If CAPTCHA is present, check if the CAPTCHA is validated properly by the
server

1. Server should have a copy of the CAPTCHA sent and must validate the
request based on it. 2. The CAPTCHA should be invalidated after one use.
3. Request should not be processed without the CAPTCHA validation.

Anywhere in the application

1. Check if database resources are closed after processing



2. Check if temporary files created by the system for processing are
deleted after processing

Sometimes applications may create a temporary file while processing and may
forget to delete them.

3. Check if the loop counter/condition is determined by any user input

http://lab.gsi.dit.upm.es/semanticwiki/index.php/Resource_exhaustion…Check
if the condition to run a "for" or a "while" loop is determined by a user
input. In such cases a user can supply a very high number and make the loop
to run indefinitely.

4. Check if the memory allocation like array size is determined based on
user input

A user can specify a very large value and thereby cause the server to
create that many objects in the memory. This may possibly lead to
memory/resource exhaustion on the server.

5. Check if the sleep time of the thread is initialized using user inputs

https://www.fortify.com/vulncat/en/vulncat/java/code_correctness_call_to_sleep_in_lock.html
Here, if the lock to any resource has been obtained by the thread and it
den goes for a sleep for the time specified by user, then user can make
that resource unavailable by causing the thread to sleep for an indefinite
time.

6. Check if the "parseDouble" method is being used to validate a
invalidated user input

https://www.fortify.com/vulncat/en/vulncat/java/denial_of_service_parse_double.html…Java
hangs when very low fractional number is set for parsing, hence when user
inputs are directly parsed using this method, this mite possibly lead to a
DOS attack. (Yet to confirm this)
Thanks,
Ashish

On Thu, Mar 14, 2013 at 10:28 PM, Ryan Barnett <ryan.barnett at owasp.org>wrote:

>  Speaking from an App-level view, this type of monitoring is included as
> part of the OWASP AppSensor Project -
> https://www.owasp.org/index.php/AppSensor_DetectionPoints#UserTrendException
> .
>
> -Ryan
>
> From: Rory McCune <rory.mccune at owasp.org>
> Date: Thursday, March 14, 2013 12:35 PM
> To: Dave Wichers <dave.wichers at owasp.org>
> Cc: Ryan Barnett <ryan.barnett at owasp.org>, OWASP Leaders <
> owasp-leaders at lists.owasp.org>, OWASP TopTen <owasp-topten at lists.owasp.org
> >
> Subject: Re: [Owasp-topten] [Owasp-leaders] OWASP Top 10 Methodology
>
>  Hi,
>
> I think that there are some things that app. developers /owners could do
> to address app DoS (although as you say I think that network DDoS is more
> common).
>
> The kind of App DoS I'm thinking of would be where a simple GET or POST
> request could trigger a computationally expensive transaction on the
> application database or server. So for example something like a large
> database query that's triggered by a product search.  Presumably the
> application has been tested for standard usage patterns but may not have
> been tested for someone making very large numbers of searches quickly.
>
> In terms of mitigation, I'd say that there would be a two phase approach.
>  First would be identification of what transactions/requests caused large
> processing loads and secondly would be implementing some form of
> protection, which could take the form of basic rate limiting for a given
> transaction or perhaps at a more advanced level detecting an unusual usage
> pattern (i.e. ordinary users browse from the login page through to the
> search page and then search once, whereas these IPs are hitting the search
> page repeatedly without any other page visit) and then blocking/limiting
> those IPs in relation to those transactions.
>
> The advantage of defending this at the application layer is that there's
> likely to be more visibility/understanding of what constitutes
> unusual behavior and also what the high processing requirement transactions
> are.
>
> Cheers
>
> Rory
>
>
> On Thu, Mar 14, 2013 at 4:26 PM, Dave Wichers <dave.wichers at owasp.org>wrote:
>
>>  Hey everyone. Related to DDOS, (Today’s latest event is:
>> http://www.bankinfosecurity.com/ddos-6-banks-hit-on-same-day-a-5607), do
>> we have any stats/metrics on how many DDOS attacks are at the application
>> level vs. the network level?****
>>
>> ** **
>>
>> The OWASP Top 10 is about Web Apps, not network security. And I know if
>> they DDOS the server and take out the app, then it’s an app problem, but is
>> there anything the APP itself can do about the most common DDOS attacks?*
>> ***
>>
>> ** **
>>
>> I’m trying to figure out, if we added DDOS to the Top 10, what advice we
>> could provide to developers/app owners on how to mitigate this risk? And if
>> all the advice is at the network level, because that’s the best / easiest
>> place to defend against this, does that belong in a top 10 list for apps?
>> Maybe/Maybe not.****
>>
>> ** **
>>
>> I’m trying to encourage discussion here. I’m not saying I don’t think it
>> belongs in the Top 10. This is tricky/complex issue worth discussing.****
>>
>> ** **
>>
>> -Dave****
>>
>> ** **
>>
>> ** **
>>
>> *From:* Ryan Barnett [mailto:ryan.barnett at owasp.org]
>> *Sent:* Wednesday, March 13, 2013 11:00 AM
>> *To:* Dave Wichers
>> *Cc:* Michael Coates; OWASP Leaders; OWASP TopTen
>>
>> *Subject:* Re: [Owasp-leaders] OWASP Top 10 Methodology****
>>
>>  ** **
>>
>> FYI - I have added links to sample attack reports to this page -****
>>
>>
>> https://www.owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements
>> ****
>>
>> ** **
>>
>> -Ryan****
>>
>> ** **
>>
>> On Tue, Mar 5, 2013 at 9:33 AM, Dave Wichers <dave.wichers at owasp.org>
>> wrote:****
>>
>> Thanks Ryan for taking the lead on this step of the methodology. I’m very
>> interested in seeing what the various attack metric sources we can get our
>> hands on say about the prevalence of different kinds of attacks.****
>>
>>  ****
>>
>> One comment about the prevalence factor in the Top 10 is that its
>> definition is:****
>>
>>  ****
>>
>> The likelihood that an attacker would successfully attack the application
>> given this vulnerability.  I could imagine some attack metrics only measure
>> attempts to attack (like random DOSing, or random attempts at SQL
>> injection/XSS) but don’t or can’t measure the number of actually successful
>> attacks.****
>>
>>  ****
>>
>> And I think the likelihood of success is pretty important. Take Reflected
>> XSS for example. It’s pretty prevalent, it’s pretty easy to find, but it
>> can be hard to successfully pull off.****
>>
>>  ****
>>
>> Don’t get me wrong, I think knowing what attack attempts are actually
>> occurring out there in the wild is great information to know. But I’m not
>> sure if that data is an exact match to what we consider the likelihood of
>> actual successful attack in the Top 10 as its defined today.****
>>
>>  ****
>>
>> -Dave****
>>
>>  ****
>>
>> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
>> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Ryan Barnett
>> *Sent:* Tuesday, March 05, 2013 9:25 AM
>> *To:* Michael Coates; OWASP Leaders; OWASP TopTen****
>>
>>
>> *Subject:* Re: [Owasp-leaders] OWASP Top 10 Methodology****
>>
>>  ****
>>
>> With regards to "Additional data sources to be considered" Enhancement
>> item – I am contacting various vendors that I listed to try and get access
>> to web attack metrics.  I have heard back from both Akamai and Incapsula
>> and they are willing to share so I will work with them.****
>>
>>  ****
>>
>> I will update the group when I have more info.****
>>
>>  ****
>>
>> -Ryan****
>>
>>  ****
>>
>> *From: *Michael Coates <michael.coates at owasp.org>
>> *Date: *Saturday, March 2, 2013 7:15 PM
>> *To: *OWASP Leaders <owasp-leaders at lists.owasp.org>, OWASP TopTen <
>> owasp-topten at lists.owasp.org>
>> *Subject: *Re: [Owasp-leaders] OWASP Top 10 Methodology****
>>
>>  ****
>>
>>      Leaders,****
>>
>> The OWASP Top 10 Methodology wiki page (as described in the below email)
>> is now live - https://owasp.org/index.php/Top_10_2013/ProjectMethodology*
>> ***
>>
>> As you'll see in the first line of the wiki - "The goal of this page is
>> to provide the baseline of knowledge to begin a thoughtful conversation of
>> enhancements and changes to continue growing the OWASP top 10."****
>>
>> Next Steps:****
>>
>> - Have ideas on how we can enhance the methodology? Please add it here
>> https://owasp.org/index.php/Top_10_2013/ProjectMethodology#Suggested_Enhancements
>> ****
>>
>> - We'll then begin making changes based on these ideas****
>>
>> Overall Goal:****
>>
>> Increase participation, enhance methodology, and continue to grow the
>> excellent OWASP top 10 resource ****
>>
>> Thanks for everyone's hard work so far on the Top 10 and all the good
>> ideas that have been floating around. I'm confident we can all work
>> together as a community to make this next top 10 awesome.  I look forward
>> to continuing this conversation with everyone.****
>>
>>
>> ****
>>
>>
>> --
>> Michael Coates | OWASP | @_mwc
>> michael-coates.blogspot.com****
>>
>>  ****
>>
>> On Tue, Feb 26, 2013 at 12:05 PM, Michael Coates <
>> michael.coates at owasp.org> wrote:****
>>
>> Leaders & Top 10 Enthusiasts,****
>>
>> Dave and I had a great conversation today about the Top 10 and some of
>> the questions that have been posed by many in our owasp community.
>>
>> We're going to build a wiki page that describes the overall project
>> methodology of the owasp top 10, what's currently happening, suggestions
>> for improvements, and an FAQ.****
>>
>> The project has continually grown over the various releases and has
>> successfully attracted more worldwide attention. As we've grown as an
>> organization we've seen many new ways to further open the top 10 and invite
>> greater participation.
>>
>> This methodology wiki page will help clarify the activities to date and
>> provide a feedback channel to continue growing.****
>>
>> Please look for this page later this week. It would have been great for
>> me to include the completed page with this email, but it will take a day or
>> two and I wanted to send this info to the list now.
>>
>>
>>
>> Thanks!****
>>
>>
>> ****
>>
>>
>> --
>> Michael Coates | OWASP | @_mwc
>> michael-coates.blogspot.com****
>>
>>  ****
>>
>> _______________________________________________ OWASP-Leaders mailing
>> list OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders ****
>>
>> ** **
>>
>> _______________________________________________
>> Owasp-topten mailing list
>> Owasp-topten at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-topten
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130314/c6a59a73/attachment-0001.html>


More information about the OWASP-Leaders mailing list