[Owasp-topten] Top 10 Item Proposal: Missing Anti-Automation Defenses

Ryan Barnett ryan.barnett at owasp.org
Tue Mar 19 01:19:37 UTC 2013

From:  Dave Wichers <dave.wichers at owasp.org>
Date:  Monday, March 18, 2013 8:58 PM
To:  Ryan Barnett <ryan.barnett at owasp.org>, 'OWASP TopTen'
<owasp-topten at lists.owasp.org>
Subject:  RE: [Owasp-topten] Top 10 Item Proposal: Missing Anti-Automation

> I have a little trouble with a list of stats, where half the values are
> Œunknown¹. 
> Also, this is about what mechanisms get attacked the most (as captured by
> WHID), rather than the likelihood of those flaws existing, or the impact of
> such attacks.

You must keep in mind what WHID is.  It's starting point is a successful
compromise or direct negative impact to a web site that was reported on by
media.  This means that every entry has to have an identified Outcome (data
leakage, defacement, downtime, planting of malware, etcŠ).  The unknown
classifications are for attacks/weaknesses where the news story didn't
specify details.  For instance, sites that get defaced or infected with
malware often do not divulge the exact attack vector.

WHID is different than other web attack reports (from Imperva or FireHost,
etcŠ) because those reports are from WAF vendors and they are reporting on
attacks they blocked.  We don't know if the vuln actually even existed on
the target site.  WHID entries mean there was a weakness, it was
successuflly exploited and there was  negative outcome to the web app.

> So, yes, there may be LOTS of DDOS attacks identified by WHID, but how
> successful were they and what impact did they cause?

So, in this contect, every DoS entry in WHID was successful and resulted in
downtime for the web site.

> Since automation is also the cause of most attacks on the internet, I think
> the lack of anti-automation is a self selecting defense mechanism weakness
> that would be reported in any kind of incident database.
> I.e., imagine I used automation to attack 1,000,000 web sites in blocks of say
> 1000 at a time spread over time. If it was successful 0.1% of the time and
> those successes got reported to WHID. I might cause 1000 events to be
> registered in WHID making it the most common exploited flaw. But I don¹t think
> that¹s really accurate across the universe of threats to apps, or the primary
> risk organizations face with their web apps.

I am not proposing that WHID data is flawless or that it is all encompasing
but I do feel that it is data that should be analyzed and factored into our
decisions so that our list is backed by some type of data rather than merely
opinions.  We will still need to use our collection "expert opinions" but we
should at least consider these various attack report data sets.

> We do mention lack of Anti-Automation on the Additional Risks to consider
> page, but I recognize that¹s essentially in the fine print of the Top 10.
> -Dave
> From: owasp-topten-bounces at lists.owasp.org
> [mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Ryan Barnett
> Sent: Friday, March 15, 2013 8:54 AM
> To: OWASP TopTen
> Subject: [Owasp-topten] Top 10 Item Proposal: Missing Anti-Automation Defenses
> Taking at step back from the Web Server/App DoS debate for a moment and
> looking at the higher level issue.  In WASC WHID, we have different views of
> the data where the user can aggregate entries based on various components -
> http://projects.webappsec.org/w/page/13246995/Web-Hacking-Incident-Database#Se
> archtheWHIDDatabase
> For Developers, they can aggregate bases on "Application Weaknesses" and get
> their view - 
> https://www.google.com/fusiontables/DataSource?snapid=S916401oaPG.
> Looking at this data, we see that the top confirmed weakness was "Insufficient
> Anti-Automation" protections.  While this weakness was exploited in large part
> by DoS/DDoS attacks, this weakness can also be exploited as part of other
> attacks types such as Brute Forcing auth credentials, enumerating SessionIDs,
> scraping of content, etc..
> Perhaps we could consider adding "Missing Anti-Automation Defenses" or
> something similarly named that could include all of these attack types.
> Thoughts?
> -Ryan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130318/464e6069/attachment-0001.html>

More information about the Owasp-topten mailing list