SlideShare a Scribd company logo

Real Time Application Defenses - The Reality of AppSensor & ESAPI

Michael Coates
Michael Coates

OWASP AppSecUSA Presentation

Technology
1 of 51
Download to read offline
Real Time Application Defenses The Reality of AppSensor & ESAPI Michael Coates Mozilla - Web Security Lead mcoates@mozilla.com OWASP AppSecUSA The OWASP Foundation http://www.owasp.org Saturday, September 11, 2010 1
Real Time Application Defenses The Reality of AppSensor & ESAPI Michael Coates Web Security Lead - Mozilla Saturday, September 11, 2010 2
Agenda • Power of Application Intrusion Detection • ESAPI & AppSensor • Release of AppSensor-Tutorial • AppSensor @ Mozilla Saturday, September 11, 2010 3
AppSensor Team AppSensor Core Team Contributors Ryan Barnett Simon Bennetts Michael Coates August Detlefsen Randy Janida Jim Manico John Melton Giri Nambari Eric Sheridan John Stevens Colin Watson Kevin Wall Saturday, September 11, 2010 4
Power of Application Intrusion Detection Saturday, September 11, 2010 5
Status Quo Defense Capabilities • Build secure & hope for the best • Would you know if your application was currently under attack? • How confident are you against a skilled attacker? • Is your attack alert system based on watching the NYT for a front page article? Saturday, September 11, 2010 6
Attack Points: Requests, Auth, Session Saturday, September 11, 2010 7
Attack Points: Access Control Saturday, September 11, 2010 8
Attack Points: Input Validation Saturday, September 11, 2010 9
Attack Points: Business Logic Saturday, September 11, 2010 10
Numerous Attack Points Saturday, September 11, 2010 11
Defend with: Detection Points Saturday, September 11, 2010 12
Defend with: AppSensor Integration • Detection Points Report to AppSensor • AppSensor Integrates w/User Store • Enables Response Actions against User Object Saturday, September 11, 2010 13
Detect & Eliminate Threat • Strong control of authenticated portion • Lockout user • Disable account • Effective attack reporting for unauthenticated portion Saturday, September 11, 2010 14
AppSensor Eliminates Threats Saturday, September 11, 2010 15
AppSensor Eliminates Threats Block attacker & minimize threat Saturday, September 11, 2010 16
Current Approach !"#$%"& '"()*+& ,--.)#/01+& 213-%13)("& Build secure & hope for the best Saturday, September 11, 2010 17
AppSensor Approach !""#$%&'() *$+$%&$) Detect & eliminate threats Build as secure as possible Defend against the unknown #$,-($) *$&./%) !""0.,12'%) 3'4"('4.&$) Add layer of attack detection & prevention Saturday, September 11, 2010 18
Enhancing App Security Build Secure Security Code Review & Integrate Security into SDLC Penetration Testing Actively Defend Automated Response Attack Detection Application Trend to Quarantine Points Anomaly Detection Attackers Saturday, September 11, 2010 19
Why This Approach? • AppSensor - in the app, full user object interaction, full app knowledge • WAF - generic attack detection • Log Analysis - slow, reactive, ineffective Saturday, September 11, 2010 20
ESAPI & AppSensor Saturday, September 11, 2010 21
Integration Status • appsensor.jar ready to use w/ESAPI • AppSensor developer guide available http://www.owasp.org/index.php/AppSensor_Developer_Guide • AppSensor + ESAPI bundle planned for ESAPI 2.0 rc8 Saturday, September 11, 2010 22
ESAPI / AppSensor Adoption • AppSensor • ModSecurity • Major Insurance Company - AppSensor standard for all new web apps • Mozilla - AppSensor detection integrated into web apps • ESAPI - American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone(McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, Nationwide Insurance, U.S. Navy - SPAWAR, The World Bank, SANS Institute http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Home Saturday, September 11, 2010 23
AppSensor.jar • Drop-in support for ESAPI • 3 Line configuration in ESAPI.properties • Define policies in appsensor.properties • Add detection points in code (2-3 lines each) • Done! Saturday, September 11, 2010 24
How Easy To Setup? ESAPI.IntrusionDetector=org.owasp.appsensor.intrusiondetection.AppSensorIntrusionDetector ESAPI.properties IntrusionDetector.X1.count=2 IntrusionDetector.X1.interval=35 IntrusionDetector.X1.actions=log,logout,disableComponentForUser IntrusionDetector.X1.disableComponentForUser.duration=30 IntrusionDetector.X1.disableComponentForUser.timeScale=m appsensor.properties if (AttackDetected){ new AppSensorException( “X1”,"User Error Message", "Logged Error Message" + "("+ request.getRequestURI()+ ")" + " user (" + ESAPI.authenticator().getCurrentUser().getAccountName() + ")"); } code Saturday, September 11, 2010 25
Detecting Attacks • 50+ attack detection points and growing • Grouped into logical areas • Request, Auth, Input, Access etc • Most have nearly zero false positive rate • POST When Expecting GET • Evading Presentation Access Control Through Custom POST • Attempt to Invoke Unsupported HTTP Method http://www.owasp.org/index.php/AppSensor_DetectionPoints Saturday, September 11, 2010 26
Release of AppSensor-Tutorial Saturday, September 11, 2010 27
AppSensor-Tutorial http://code.google.com/p/appsensor/ source/browse/#svn/trunk/AppSensor- Tutorial Saturday, September 11, 2010 28
AppSensor-Tutorial • Lesson Based Application • Concise & Simple Demo of ESAPI & AppSensor Code • Purely JSP w/Java libs Saturday, September 11, 2010 29
Lesson Format • Simple form with text input or drop down • Malicious data checked by ESAPI or AppSensor • Detection point listed with response actions / intrusion count Saturday, September 11, 2010 30
Lesson 1: Validate w/ ESAPI Validator.HTTPParameterName= ^[a-zA-Z0-9_]{0,32}$ Validator.HTTPParameterValue= ^[a-zA-Z0-9.-/+=_ ]*$ ESAPI.properties String dataResult = ""; try { dataResult = ESAPI.httpUtilities() .getParameter(request,"attackstring"); IntrusionDetector.Total.count=3 } catch (ValidationException e){ IntrusionDetector.Total.interval=30 //ESAPI Validation Exception //Processed by AppSensor IntrusionDetector.Total.actions=logout // Automatically } lesson1.jsp appsensor.properties Saturday, September 11, 2010 31
Lesson 2 Validate w/ AppSensor • Use AppSensor AttackDetectorUtils.verifyXSSAttack • Customizable black list approach (regex) • Catch obvious XSS probes • alert(document.cookie) • <img src=.*script • <iframe>.*</iframe> Saturday, September 11, 2010 32
Lesson 2 - The Code dataResult = request.getParameter("attackstring"); boolean attackDetected = org.owasp.appsensor.AttackDetectorUtils.verifyXSSAttack(dataResult); if (attackDetected) { dataResult = "Exception Caught By ESAPI Validation"; new AppSensorException( appsensorID,"Invalid Input per AppSensor Detection", "Attacker is sending input that violates defined whitelists" + "("+ request.getRequestURI()+ ")" + " user (" + ESAPI.authenticator().getCurrentUser().getAccountName() + ")"); dataResult = "removed"; } lesson2.jsp Saturday, September 11, 2010 33
Lesson 2 appsensor.properties • Define regex black xss.attack.patterns= "><script>, list of xss patterns script.*document.cookie, <script>, • Black list ok for <IMG.*SRC.*=.*script, attack detection <iframe>.*</iframe> ... • Define response IntrusionDetector.IE1.count=3 thresholds as IntrusionDetector.IE1.interval=30 normal IntrusionDetector.IE1.actions=log,logout appsensor.properties Saturday, September 11, 2010 34
lesson 3 Per User Page Blocking • Disable user’s access to the page • Good solution for sensitive operations - transfer funds, update address • Just affects malicious user • Simple with AppSensor Saturday, September 11, 2010 35
lesson 3 - The Code ASUser user = APPSENSOR.asUtilities().getCurrentUser(); boolean isActive = AppSensorServiceController.isServiceActiveForSpecificUser (request.getRequestURI(),user); if (!(isActive)){ %>This page has been disabled<% }else{ //display normal page lesson3.jsp Saturday, September 11, 2010 36
Lesson 3 appsensor.properties • Define normal thresholds • Define how long page is disabled for user (30 minutes) IntrusionDetector.IE12.count=2 IntrusionDetector.IE12.interval=35 IntrusionDetector.IE12.actions=disableComponentForUser IntrusionDetector.IE12.disableComponentForUser.duration=30 IntrusionDetector.IE12.disableComponentForUser.timeScale=m appsensor.properties Saturday, September 11, 2010 37
Lesson 4 Full Feature Blocking • Block access to all users • Possible for critical pages • Better to shutoff page and investigate than Saturday, September 11, 2010 38
lesson 4 - The Code boolean isActiveForEveryone = AppSensorServiceController.isServiceActive (request.getRequestURI()); if (!(isActiveForEveryone)){ %>Page has been disabled for everyone<% } lesson4.jsp IntrusionDetector.IE12.actions=disableComponent IntrusionDetector.IE12.disableComponent.duration=10 appsensor.properties Saturday, September 11, 2010 39
Additional Response Capabilities http://www.owasp.org/index.php/ File:Owasp-appsensor-responses.pdf Saturday, September 11, 2010 40
Additional Response Capabilities Saturday, September 11, 2010 41
AppSensor @ Mozilla Saturday, September 11, 2010 42
Mozilla Threat Profile • Lots of users • Many web apps • Apps constantly growing & changing • All code open source Saturday, September 11, 2010 43
Mozilla Services • Firefox Sync • Millions of users • Service based app • Stores encrypted user data • Example detection points • Credential mismatch within URL request • Tampering with reset code • Account delete attempt without password Saturday, September 11, 2010 44
What to Capture • Threat model attack scenarios • Access Control Failures • Account lockouts • Failed CAPTCHA • Monitor trends of interesting events • New privileged account created • Password reset requested • Account creations • Sensitive bug access • New attachment Saturday, September 11, 2010 45
SIM Deployment Saturday, September 11, 2010 46
Common Event Format (CEF) • Emerging standard on logging format CEF:0|Mozilla|MozFooApp|1.0 |ACE0|Access Control Violation|8|rt=01 • Easily parsed by 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=1.2.3.4 security dst=2.3.4.5 requestMethod=POST request=http://foo.mozilla.org/foo/ integration abc.php?a=b cs1Label=requestClientApplication manager (sim) cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/ 20100316 Firefox/3.6.2 msg=Additional Data here • Enables AppSensor Logging Saturday, September 11, 2010 47
Detection Point w/CEF if (!$authdb->authenticate_user(fix_utf8_encoding($auth_pw))) ! ! { ! ! ! if ($cef) ! ! ! { ! ! ! ! $message = new CommonEventFormatMessage( WEAVE_CEF_AUTH_FAILURE, 'User Authentication Failed', 3, ! ! ! array('username' => $url_user, 'requestip' => get_source_ip())); ! ! ! ! $cef->logMessage($message); ! ! ! } ! ! ! report_problem('Authentication failed', '401'); } http://hg.mozilla.org/services/ Saturday, September 11, 2010 48
Data Analysis Saturday, September 11, 2010 49
Trend Analysis Saturday, September 11, 2010 50
AppSensor - More Info http://www.owasp.org/index.php/ Category:OWASP_AppSensor_Project http://code.google.com/p/appsensor/ owasp-appsensor-project@lists.owasp.org mcoates@mozilla.com michael.coates@owasp.org http://michael-coates.blogspot.com @_mwc Saturday, September 11, 2010 51

Recommended

OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
Francois Marier
 
Circl eco
Circl ecoCircl eco
Circl eco
uisgslide
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
uisgslide
 
Road towards Owasp Orizon 2.0 (November 2009 update)
Road towards Owasp Orizon 2.0 (November 2009 update)Road towards Owasp Orizon 2.0 (November 2009 update)
Road towards Owasp Orizon 2.0 (November 2009 update)
Paolo Perego
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
uisgslide
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 

Recommended

OWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwords
Francois Marier
 
Circl eco
Circl ecoCircl eco
Circl eco
uisgslide
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
uisgslide
 
Road towards Owasp Orizon 2.0 (November 2009 update)
Road towards Owasp Orizon 2.0 (November 2009 update)Road towards Owasp Orizon 2.0 (November 2009 update)
Road towards Owasp Orizon 2.0 (November 2009 update)
Paolo Perego
 
Sandbox kiev
Sandbox kievSandbox kiev
Sandbox kiev
uisgslide
 
OWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newerOWASP 2013 Limerick - ZAP: Whats even newer
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP IntroOWASP 2012 AppSec Dublin ZAP Intro
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
Download Indexed Cache
Download Indexed CacheDownload Indexed Cache
Download Indexed Cache
Christian Heinrich
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
Milton Smith
 
What's Our Software Doing With All That User Input
What's Our Software Doing With All That User InputWhat's Our Software Doing With All That User Input
What's Our Software Doing With All That User Input
Kim Carter
 
Gauntlt Rugged By Example
Gauntlt Rugged By Example Gauntlt Rugged By Example
Gauntlt Rugged By Example
James Wickett
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Ajin Abraham
 
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
Patrick Leclerc
 
Group fs owasp_26-11-14
Group fs owasp_26-11-14Group fs owasp_26-11-14
Group fs owasp_26-11-14
uisgslide
 
OWASP Québec - octobre 2016 - présentation sur les mots de passe
OWASP Québec - octobre 2016 - présentation sur les mots de passeOWASP Québec - octobre 2016 - présentation sur les mots de passe
OWASP Québec - octobre 2016 - présentation sur les mots de passe
Patrick Leclerc
 
Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]
Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]
Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]
RootedCON
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
Matt Tesauro
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Scareware Traversing the World via Ireland
Scareware Traversing the World via IrelandScareware Traversing the World via Ireland
Scareware Traversing the World via Ireland
Mark Hillick
 
Alex hutton metricon
Alex hutton metriconAlex hutton metricon
Alex hutton metricon
Alexander Hutton
 
Lenny zeltser social engineering attacks
Lenny zeltser social engineering attacksLenny zeltser social engineering attacks
Lenny zeltser social engineering attacks
Travis Barnes
 
Akka scalaliftoff london_2010
Akka scalaliftoff london_2010Akka scalaliftoff london_2010
Akka scalaliftoff london_2010
Skills Matter
 

More Related Content

Viewers also liked

OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
Patrick Leclerc
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 

Viewers also liked (17)

JoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
 
Download Indexed Cache
Download Indexed CacheDownload Indexed Cache
Download Indexed Cache
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
What's Our Software Doing With All That User Input
What's Our Software Doing With All That User InputWhat's Our Software Doing With All That User Input
What's Our Software Doing With All That User Input
 
Gauntlt Rugged By Example
Gauntlt Rugged By Example Gauntlt Rugged By Example
Gauntlt Rugged By Example
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
 
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
 
Group fs owasp_26-11-14
Group fs owasp_26-11-14Group fs owasp_26-11-14
Group fs owasp_26-11-14
 
OWASP Québec - octobre 2016 - présentation sur les mots de passe
OWASP Québec - octobre 2016 - présentation sur les mots de passeOWASP Québec - octobre 2016 - présentation sur les mots de passe
OWASP Québec - octobre 2016 - présentation sur les mots de passe
 
Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]
Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]
Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Building an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 

Similar to Real Time Application Defenses - The Reality of AppSensor & ESAPI

Lenny zeltser social engineering attacks
Lenny zeltser social engineering attacksLenny zeltser social engineering attacks
Lenny zeltser social engineering attacks
Travis Barnes
 
Akka scalaliftoff london_2010
Akka scalaliftoff london_2010Akka scalaliftoff london_2010
Akka scalaliftoff london_2010
Skills Matter
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
Ammar WK
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
Black Duck by Synopsys
 

Similar to Real Time Application Defenses - The Reality of AppSensor & ESAPI (17)

Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Scareware Traversing the World via Ireland
Scareware Traversing the World via IrelandScareware Traversing the World via Ireland
Scareware Traversing the World via Ireland
 
Alex hutton metricon
Alex hutton metriconAlex hutton metricon
Alex hutton metricon
 
Lenny zeltser social engineering attacks
Lenny zeltser social engineering attacksLenny zeltser social engineering attacks
Lenny zeltser social engineering attacks
 
Akka scalaliftoff london_2010
Akka scalaliftoff london_2010Akka scalaliftoff london_2010
Akka scalaliftoff london_2010
 
SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
 
Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
Cross-Platform, Native Mobile Development with a DSL
Cross-Platform, Native Mobile Development with a DSLCross-Platform, Native Mobile Development with a DSL
Cross-Platform, Native Mobile Development with a DSL
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
CodeMorphic at MinneWebCon 2010
CodeMorphic at MinneWebCon 2010CodeMorphic at MinneWebCon 2010
CodeMorphic at MinneWebCon 2010
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Webinar: "Il software: la strategia vincente sta nella qualità"
Webinar: "Il software: la strategia vincente sta nella qualità"Webinar: "Il software: la strategia vincente sta nella qualità"
Webinar: "Il software: la strategia vincente sta nella qualità"
 
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
 

More from Michael Coates

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
Michael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
Michael Coates
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
Michael Coates
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
Michael Coates
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
Michael Coates
 

More from Michael Coates (10)

Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
Sf startup-security
Sf startup-securitySf startup-security
Sf startup-security
 
Bug Bounty Programs For The Web
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
 
SQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
SSL Screw Ups
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 

Real Time Application Defenses - The Reality of AppSensor & ESAPI

  • 1. Real Time Application Defenses The Reality of AppSensor & ESAPI Michael Coates Mozilla - Web Security Lead mcoates@mozilla.com OWASP AppSecUSA The OWASP Foundation http://www.owasp.org Saturday, September 11, 2010 1
  • 2. Real Time Application Defenses The Reality of AppSensor & ESAPI Michael Coates Web Security Lead - Mozilla Saturday, September 11, 2010 2
  • 3. Agenda • Power of Application Intrusion Detection • ESAPI & AppSensor • Release of AppSensor-Tutorial • AppSensor @ Mozilla Saturday, September 11, 2010 3
  • 4. AppSensor Team AppSensor Core Team Contributors Ryan Barnett Simon Bennetts Michael Coates August Detlefsen Randy Janida Jim Manico John Melton Giri Nambari Eric Sheridan John Stevens Colin Watson Kevin Wall Saturday, September 11, 2010 4
  • 5. Power of Application Intrusion Detection Saturday, September 11, 2010 5
  • 6. Status Quo Defense Capabilities • Build secure & hope for the best • Would you know if your application was currently under attack? • How confident are you against a skilled attacker? • Is your attack alert system based on watching the NYT for a front page article? Saturday, September 11, 2010 6
  • 7. Attack Points: Requests, Auth, Session Saturday, September 11, 2010 7
  • 8. Attack Points: Access Control Saturday, September 11, 2010 8
  • 9. Attack Points: Input Validation Saturday, September 11, 2010 9
  • 10. Attack Points: Business Logic Saturday, September 11, 2010 10
  • 11. Numerous Attack Points Saturday, September 11, 2010 11
  • 12. Defend with: Detection Points Saturday, September 11, 2010 12
  • 13. Defend with: AppSensor Integration • Detection Points Report to AppSensor • AppSensor Integrates w/User Store • Enables Response Actions against User Object Saturday, September 11, 2010 13
  • 14. Detect & Eliminate Threat • Strong control of authenticated portion • Lockout user • Disable account • Effective attack reporting for unauthenticated portion Saturday, September 11, 2010 14
  • 15. AppSensor Eliminates Threats Saturday, September 11, 2010 15
  • 16. AppSensor Eliminates Threats Block attacker & minimize threat Saturday, September 11, 2010 16
  • 17. Current Approach !"#$%"& '"()*+& ,--.)#/01+& 213-%13)("& Build secure & hope for the best Saturday, September 11, 2010 17
  • 18. AppSensor Approach !""#$%&'() *$+$%&$) Detect & eliminate threats Build as secure as possible Defend against the unknown #$,-($) *$&./%) !""0.,12'%) 3'4"('4.&$) Add layer of attack detection & prevention Saturday, September 11, 2010 18
  • 19. Enhancing App Security Build Secure Security Code Review & Integrate Security into SDLC Penetration Testing Actively Defend Automated Response Attack Detection Application Trend to Quarantine Points Anomaly Detection Attackers Saturday, September 11, 2010 19
  • 20. Why This Approach? • AppSensor - in the app, full user object interaction, full app knowledge • WAF - generic attack detection • Log Analysis - slow, reactive, ineffective Saturday, September 11, 2010 20
  • 21. ESAPI & AppSensor Saturday, September 11, 2010 21
  • 22. Integration Status • appsensor.jar ready to use w/ESAPI • AppSensor developer guide available http://www.owasp.org/index.php/AppSensor_Developer_Guide • AppSensor + ESAPI bundle planned for ESAPI 2.0 rc8 Saturday, September 11, 2010 22
  • 23. ESAPI / AppSensor Adoption • AppSensor • ModSecurity • Major Insurance Company - AppSensor standard for all new web apps • Mozilla - AppSensor detection integrated into web apps • ESAPI - American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone(McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, Nationwide Insurance, U.S. Navy - SPAWAR, The World Bank, SANS Institute http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Home Saturday, September 11, 2010 23
  • 24. AppSensor.jar • Drop-in support for ESAPI • 3 Line configuration in ESAPI.properties • Define policies in appsensor.properties • Add detection points in code (2-3 lines each) • Done! Saturday, September 11, 2010 24
  • 25. How Easy To Setup? ESAPI.IntrusionDetector=org.owasp.appsensor.intrusiondetection.AppSensorIntrusionDetector ESAPI.properties IntrusionDetector.X1.count=2 IntrusionDetector.X1.interval=35 IntrusionDetector.X1.actions=log,logout,disableComponentForUser IntrusionDetector.X1.disableComponentForUser.duration=30 IntrusionDetector.X1.disableComponentForUser.timeScale=m appsensor.properties if (AttackDetected){ new AppSensorException( “X1”,"User Error Message", "Logged Error Message" + "("+ request.getRequestURI()+ ")" + " user (" + ESAPI.authenticator().getCurrentUser().getAccountName() + ")"); } code Saturday, September 11, 2010 25
  • 26. Detecting Attacks • 50+ attack detection points and growing • Grouped into logical areas • Request, Auth, Input, Access etc • Most have nearly zero false positive rate • POST When Expecting GET • Evading Presentation Access Control Through Custom POST • Attempt to Invoke Unsupported HTTP Method http://www.owasp.org/index.php/AppSensor_DetectionPoints Saturday, September 11, 2010 26
  • 28. AppSensor-Tutorial http://code.google.com/p/appsensor/ source/browse/#svn/trunk/AppSensor- Tutorial Saturday, September 11, 2010 28
  • 29. AppSensor-Tutorial • Lesson Based Application • Concise & Simple Demo of ESAPI & AppSensor Code • Purely JSP w/Java libs Saturday, September 11, 2010 29
  • 30. Lesson Format • Simple form with text input or drop down • Malicious data checked by ESAPI or AppSensor • Detection point listed with response actions / intrusion count Saturday, September 11, 2010 30
  • 31. Lesson 1: Validate w/ ESAPI Validator.HTTPParameterName= ^[a-zA-Z0-9_]{0,32}$ Validator.HTTPParameterValue= ^[a-zA-Z0-9.-/+=_ ]*$ ESAPI.properties String dataResult = ""; try { dataResult = ESAPI.httpUtilities() .getParameter(request,"attackstring"); IntrusionDetector.Total.count=3 } catch (ValidationException e){ IntrusionDetector.Total.interval=30 //ESAPI Validation Exception //Processed by AppSensor IntrusionDetector.Total.actions=logout // Automatically } lesson1.jsp appsensor.properties Saturday, September 11, 2010 31
  • 32. Lesson 2 Validate w/ AppSensor • Use AppSensor AttackDetectorUtils.verifyXSSAttack • Customizable black list approach (regex) • Catch obvious XSS probes • alert(document.cookie) • <img src=.*script • <iframe>.*</iframe> Saturday, September 11, 2010 32
  • 33. Lesson 2 - The Code dataResult = request.getParameter("attackstring"); boolean attackDetected = org.owasp.appsensor.AttackDetectorUtils.verifyXSSAttack(dataResult); if (attackDetected) { dataResult = "Exception Caught By ESAPI Validation"; new AppSensorException( appsensorID,"Invalid Input per AppSensor Detection", "Attacker is sending input that violates defined whitelists" + "("+ request.getRequestURI()+ ")" + " user (" + ESAPI.authenticator().getCurrentUser().getAccountName() + ")"); dataResult = "removed"; } lesson2.jsp Saturday, September 11, 2010 33
  • 34. Lesson 2 appsensor.properties • Define regex black xss.attack.patterns= "><script>, list of xss patterns script.*document.cookie, <script>, • Black list ok for <IMG.*SRC.*=.*script, attack detection <iframe>.*</iframe> ... • Define response IntrusionDetector.IE1.count=3 thresholds as IntrusionDetector.IE1.interval=30 normal IntrusionDetector.IE1.actions=log,logout appsensor.properties Saturday, September 11, 2010 34
  • 35. lesson 3 Per User Page Blocking • Disable user’s access to the page • Good solution for sensitive operations - transfer funds, update address • Just affects malicious user • Simple with AppSensor Saturday, September 11, 2010 35
  • 36. lesson 3 - The Code ASUser user = APPSENSOR.asUtilities().getCurrentUser(); boolean isActive = AppSensorServiceController.isServiceActiveForSpecificUser (request.getRequestURI(),user); if (!(isActive)){ %>This page has been disabled<% }else{ //display normal page lesson3.jsp Saturday, September 11, 2010 36
  • 37. Lesson 3 appsensor.properties • Define normal thresholds • Define how long page is disabled for user (30 minutes) IntrusionDetector.IE12.count=2 IntrusionDetector.IE12.interval=35 IntrusionDetector.IE12.actions=disableComponentForUser IntrusionDetector.IE12.disableComponentForUser.duration=30 IntrusionDetector.IE12.disableComponentForUser.timeScale=m appsensor.properties Saturday, September 11, 2010 37
  • 38. Lesson 4 Full Feature Blocking • Block access to all users • Possible for critical pages • Better to shutoff page and investigate than Saturday, September 11, 2010 38
  • 39. lesson 4 - The Code boolean isActiveForEveryone = AppSensorServiceController.isServiceActive (request.getRequestURI()); if (!(isActiveForEveryone)){ %>Page has been disabled for everyone<% } lesson4.jsp IntrusionDetector.IE12.actions=disableComponent IntrusionDetector.IE12.disableComponent.duration=10 appsensor.properties Saturday, September 11, 2010 39
  • 40. Additional Response Capabilities http://www.owasp.org/index.php/ File:Owasp-appsensor-responses.pdf Saturday, September 11, 2010 40
  • 41. Additional Response Capabilities Saturday, September 11, 2010 41
  • 42. AppSensor @ Mozilla Saturday, September 11, 2010 42
  • 43. Mozilla Threat Profile • Lots of users • Many web apps • Apps constantly growing & changing • All code open source Saturday, September 11, 2010 43
  • 44. Mozilla Services • Firefox Sync • Millions of users • Service based app • Stores encrypted user data • Example detection points • Credential mismatch within URL request • Tampering with reset code • Account delete attempt without password Saturday, September 11, 2010 44
  • 45. What to Capture • Threat model attack scenarios • Access Control Failures • Account lockouts • Failed CAPTCHA • Monitor trends of interesting events • New privileged account created • Password reset requested • Account creations • Sensitive bug access • New attachment Saturday, September 11, 2010 45
  • 47. Common Event Format (CEF) • Emerging standard on logging format CEF:0|Mozilla|MozFooApp|1.0 |ACE0|Access Control Violation|8|rt=01 • Easily parsed by 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=1.2.3.4 security dst=2.3.4.5 requestMethod=POST request=http://foo.mozilla.org/foo/ integration abc.php?a=b cs1Label=requestClientApplication manager (sim) cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/ 20100316 Firefox/3.6.2 msg=Additional Data here • Enables AppSensor Logging Saturday, September 11, 2010 47
  • 48. Detection Point w/CEF if (!$authdb->authenticate_user(fix_utf8_encoding($auth_pw))) ! ! { ! ! ! if ($cef) ! ! ! { ! ! ! ! $message = new CommonEventFormatMessage( WEAVE_CEF_AUTH_FAILURE, 'User Authentication Failed', 3, ! ! ! array('username' => $url_user, 'requestip' => get_source_ip())); ! ! ! ! $cef->logMessage($message); ! ! ! } ! ! ! report_problem('Authentication failed', '401'); } http://hg.mozilla.org/services/ Saturday, September 11, 2010 48
  • 51. AppSensor - More Info http://www.owasp.org/index.php/ Category:OWASP_AppSensor_Project http://code.google.com/p/appsensor/ owasp-appsensor-project@lists.owasp.org mcoates@mozilla.com michael.coates@owasp.org http://michael-coates.blogspot.com @_mwc Saturday, September 11, 2010 51