3.19.2012

T5WTPYAFGP - Become Big Brother


At South by Southwest this year, during my talk Defense Against The Dark Arts - ESAPI I covered the "Top 5 Ways To Protect Your Application From Getting Pwnd" [T5WTPYAFGP]. After a couple offline conversations I decided that this would make an excellent series of follow-up blog posts so what follows is the adaptation of that presentation material from that talk. Unlike a lot of other Top-N lists, the goal of this one is not to iterate the flaws, but rather to iterate the solutions.

Additionally each post includes some samples on how you can use ESAPI to implement the solutions discussed.

You can use the navigation below to navigate between each of the posts.

[5] Encrypt Sensitive Information
[4] Become "Big Brother" [current]
[3] Fix Your URL

4. Become "Big Brother"
As much as "Big Brother" irritates and/or scares the pants off of us in the real world, it is your responsibility to take up this mantle for your application - or better yet, have the application do it for you all by itself!

Intrusion detection and prevention systems are a long accepted means of detecting and neutralizing threats to networks, but there is a common weakness that they all have in common - they are network devices. As a network device they have no context in the application and can only provide a pattern-based blacklist approach to protecting your web applications. While this is a valuable piece of the overall security puzzle, what is lacking is a way for the application to monitor and respond to attacks. The key to implementing this protection is to teach your application to understand user behavior.

What is User Behavior?
To understand user behavior all you have to do is understand how your application is intended to be used. If a user deviates from the happy path by trying to subvert or bypass logic that you have in place then they are exhibiting bad user behavior. However, no user is perfect and everyone occasionally makes mistakes. This is the primary purpose of thresholds - that is, how many times, or how much a user is allowed to deviate from the happy path before they are exhibiting bad user behavior.

As an example, let's take the log in functionality of an application. Logging in a a typical piece of functionality that exists in just about every dynamic web application in the world.

A typical flow chart for the log in process may look similar to this:
There are a lot of user behaviors that we can extrapolate from this process flow. Here are a few of them:

  1. Behavior: Anonymous User reaches (A) more than n times without reaching (C)
    Reaction: [1] notify admin of DoS - [2] ban user ip for n-minutes
  2. Behavior: Anonymous User reaches (D) more than n times with n different usernames
    Reaction: [1] notify admin of Brute Force - [2] ban user ip for n-minutes
  3. Behavior: Anonymous User reaches (E) after times reaching (G)
    Reaction: [1] notify admin of Brute Force/DoS - [2] ban user ip for n-minutes
Notice that in defining the behaviors, we are not altering the flow of the application itself, we are instead detecting conditions across the process flow and reacting to them. This is the true power of application layer intrusion detection and prevention. 

Once we have identified our user behaviors, we can start to educate our application on how to respond to these conditions. By design, to enable intrusion detection in your application, the only requirement is to configure it to be enabled in your ESAPI.properties file. Simply set the IntrusionDetector.Disable property to be false and you are in business. Once intrusion detection is enabled in your application, any exception that extends the EnterpriseSecurityException will raise an event that the intrusion detector can be configured to respond to.

In the ESAPI.properties file you will find a section for IntrusionDetection with a sample configuration for events. You can add custom events here and configure what actions should be taken as well as thresholds for those events.


Introducing AppSensor
Some friends at OWASP took the ESAPI Intrusion Detector and some ideas that they had and built one of the most powerful application layer intrusion detection and prevention components available today. This project, called AppSensor - is built on top of ESAPI so it integrates seamlessly with ESAPI and provides fantastic protection to your application. I highly recommend using AppSensor for anything other than the most basic of intrusion detection and prevention needs.


AppSensor builds on the ESAPI Intrusion Detection component to integrate a state of the art application layer intrusion detection solution that is "ESAPI-Aware" - that is, it is aware of and interacts with various ESAPI components.

What Does it all Mean?
To some it all up - it is your right and your responsibility to ensure the safety of your clients and partners while they are using your applications. Understanding user behavior and recognizing key indicators is the key to stopping attackers before they can attack you and your users and the key to understanding user behavior lies in establishing a flexible application layer intrusion prevention solution.

Stay tuned for #3 in this series - Fix Your URL.

1 comment:

  1. Welcome to mmoggg website to buy RS Gold, offer a lot, of course, Diablo 3 Gold or Diablo 3 Gold Kaufen and Cheap RS Gold, to be purchased at any time, at any time shipment, and look forward to your visit!

    ReplyDelete