Real Time Application Defenses - The Reality of AppSensor & ESAPI

Michael Coates
Sep. 11, 2010
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
Real Time Application Defenses - The Reality of AppSensor & ESAPI
1 of 51

Real Time Application Defenses - The Reality of AppSensor & ESAPI

Sep. 11, 2010
Download to read offline
Technology

OWASP AppSecUSA Presentation

Michael Coates

Recommended

OWASP 2013 AppSec EU Hamburg - ZAP InnovationsOWASP 2013 AppSec EU Hamburg - ZAP Innovations
OWASP 2013 AppSec EU Hamburg - ZAP InnovationsSimon Bennetts2.8K views31 slides
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier1.1K views135 slides
Circl ecoCircl eco
Circl ecouisgslide785 views13 slides
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide597 views16 slides
Road towards Owasp Orizon 2.0 (November 2009 update)Road towards Owasp Orizon 2.0 (November 2009 update)
Road towards Owasp Orizon 2.0 (November 2009 update)Paolo Perego1.8K views15 slides
Sandbox kievSandbox kiev
Sandbox kievuisgslide1.5K views35 slides

More Related Content

Viewers also liked

JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP IntroSimon Bennetts1.6K views12 slides
Download Indexed CacheDownload Indexed Cache
Download Indexed CacheChristian Heinrich1.7K views43 slides
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith6.2K views73 slides
What's Our Software Doing With All That User InputWhat's Our Software Doing With All That User Input
What's Our Software Doing With All That User InputKim Carter1.3K views30 slides
Gauntlt Rugged By Example Gauntlt Rugged By Example
Gauntlt Rugged By Example James Wickett1.8K views106 slides
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonSimon Bennetts4.2K views31 slides

Viewers also liked(17)

JoinSEC 2013 London - ZAP IntroJoinSEC 2013 London - ZAP Intro
JoinSEC 2013 London - ZAP Intro
Simon Bennetts1.6K views
Download Indexed CacheDownload Indexed Cache
Download Indexed Cache
Christian Heinrich1.7K views
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
Milton Smith6.2K views
What's Our Software Doing With All That User InputWhat's Our Software Doing With All That User Input
What's Our Software Doing With All That User Input
Kim Carter1.3K views
Gauntlt Rugged By Example Gauntlt Rugged By Example
Gauntlt Rugged By Example
James Wickett1.8K views
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts4.2K views
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Pwning with XSS: from alert() to reverse shell: Defcon Banglore 2013
Ajin Abraham10.3K views
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
Patrick Leclerc931 views
Group fs owasp_26-11-14Group fs owasp_26-11-14
Group fs owasp_26-11-14
uisgslide805 views
OWASP Québec - octobre 2016 - présentation sur les mots de passeOWASP Québec - octobre 2016 - présentation sur les mots de passe
OWASP Québec - octobre 2016 - présentation sur les mots de passe
Patrick Leclerc820 views
Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]
Lord Epsylon - XSSer: the cross site scripting framework [RootedCON 2012]
RootedCON2.1K views
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts4.4K views
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
Matt Tesauro15.3K views
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff132.3K views
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix24.6K views
Building an AppSec Pipeline: Keeping your program, and your life, saneBuilding an AppSec Pipeline: Keeping your program, and your life, sane
Building an AppSec Pipeline: Keeping your program, and your life, sane
weaveraaaron8K views
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich34.8K views

Similar to Real Time Application Defenses - The Reality of AppSensor & ESAPI

Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd1.7K views23 slides
Scareware Traversing the World via IrelandScareware Traversing the World via Ireland
Scareware Traversing the World via IrelandMark Hillick1.5K views44 slides
Alex hutton metriconAlex hutton metricon
Alex hutton metriconAlexander Hutton601 views49 slides
Lenny zeltser social engineering attacksLenny zeltser social engineering attacks
Lenny zeltser social engineering attacksTravis Barnes655 views68 slides
Akka scalaliftoff london_2010Akka scalaliftoff london_2010
Akka scalaliftoff london_2010Skills Matter139 views145 slides
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)Priyanka Aash2.9K views79 slides

Similar to Real Time Application Defenses - The Reality of AppSensor & ESAPI(17)

Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd1.7K views
Scareware Traversing the World via IrelandScareware Traversing the World via Ireland
Scareware Traversing the World via Ireland
Mark Hillick1.5K views
Alex hutton metriconAlex hutton metricon
Alex hutton metricon
Alexander Hutton601 views
Lenny zeltser social engineering attacksLenny zeltser social engineering attacks
Lenny zeltser social engineering attacks
Travis Barnes655 views
Akka scalaliftoff london_2010Akka scalaliftoff london_2010
Akka scalaliftoff london_2010
Skills Matter139 views
SACON - Automating SecOps (Murray Goldschmidt)SACON - Automating SecOps (Murray Goldschmidt)
SACON - Automating SecOps (Murray Goldschmidt)
Priyanka Aash2.9K views
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
Stefano Di Paola943 views
Cross-Platform, Native Mobile Development with a DSLCross-Platform, Native Mobile Development with a DSL
Cross-Platform, Native Mobile Development with a DSL
Peter Friese1.3K views
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference886 views
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
Jack Mannino3K views
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
Ammar WK2K views
CodeMorphic at MinneWebCon 2010CodeMorphic at MinneWebCon 2010
CodeMorphic at MinneWebCon 2010
CodeMorphic, Inc.566 views
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
Black Duck by Synopsys705 views
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security972 views
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham26K views
Webinar: "Il software: la strategia vincente sta nella qualità"Webinar: "Il software: la strategia vincente sta nella qualità"
Webinar: "Il software: la strategia vincente sta nella qualità"
Emerasoft, solutions to collaborate173 views
Pony Pwning Djangocon 2010Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Adam Baldwin627 views

More from Michael Coates

Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates8.9K views50 slides
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates7.3K views55 slides
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates19K views64 slides
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates277.9K views17 slides
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates10.4K views35 slides
Sf startup-securitySf startup-security
Sf startup-securityMichael Coates8.1K views25 slides

More from Michael Coates(10)

Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
Michael Coates8.9K views
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
Michael Coates7.3K views
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
Michael Coates19K views
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Michael Coates277.9K views
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
Michael Coates10.4K views
Sf startup-securitySf startup-security
Sf startup-security
Michael Coates8.1K views
Bug Bounty Programs For The WebBug Bounty Programs For The Web
Bug Bounty Programs For The Web
Michael Coates15K views
SQL Injection - Mozilla Security Learning CenterSQL Injection - Mozilla Security Learning Center
SQL Injection - Mozilla Security Learning Center
Michael Coates8.1K views
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates6.1K views
SSL Screw UpsSSL Screw Ups
SSL Screw Ups
Michael Coates8.4K views

Recently uploaded

dvss.pptdvss.ppt
dvss.pptSaikrishnaCheruvu1354 views1 slide
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)Alex Pruden17 views39 slides
How SACCOs can increase their memberships AD_compressed (1).pdfHow SACCOs can increase their memberships AD_compressed (1).pdf
How SACCOs can increase their memberships AD_compressed (1).pdfCoretecDigital75 views14 slides
AI and ML Series - Generative Extraction and Classification of Documents in S...AI and ML Series - Generative Extraction and Classification of Documents in S...
AI and ML Series - Generative Extraction and Classification of Documents in S...DianaGray1067 views14 slides
Deploying CloudStack with CephDeploying CloudStack with Ceph
Deploying CloudStack with CephShapeBlue108 views8 slides
INASLA_AI and Landscape Architecture.pptxINASLA_AI and Landscape Architecture.pptx
INASLA_AI and Landscape Architecture.pptxJonathon Geels66 views26 slides

Recently uploaded(20)

dvss.pptdvss.ppt
dvss.ppt
SaikrishnaCheruvu1354 views
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
Alex Pruden17 views
How SACCOs can increase their memberships AD_compressed (1).pdfHow SACCOs can increase their memberships AD_compressed (1).pdf
How SACCOs can increase their memberships AD_compressed (1).pdf
CoretecDigital75 views
AI and ML Series - Generative Extraction and Classification of Documents in S...AI and ML Series - Generative Extraction and Classification of Documents in S...
AI and ML Series - Generative Extraction and Classification of Documents in S...
DianaGray1067 views
Deploying CloudStack with CephDeploying CloudStack with Ceph
Deploying CloudStack with Ceph
ShapeBlue108 views
INASLA_AI and Landscape Architecture.pptxINASLA_AI and Landscape Architecture.pptx
INASLA_AI and Landscape Architecture.pptx
Jonathon Geels66 views
Graph Neural Networks.pptxGraph Neural Networks.pptx
Graph Neural Networks.pptx
Kumar Iyer19 views
GDSC_Info_Session_KITTiptur.pptxGDSC_Info_Session_KITTiptur.pptx
GDSC_Info_Session_KITTiptur.pptx
RadhikaNA38 views
AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1
DianaGray10179 views
Workshop on IoT and Basic Home Automation_BAIUST.pptxWorkshop on IoT and Basic Home Automation_BAIUST.pptx
Workshop on IoT and Basic Home Automation_BAIUST.pptx
Redwan Ferdous27 views
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptx
SnehaAggarwal40119 views
What’s new in Kotlin 12-08-2023 Google IO Cairo 23What’s new in Kotlin 12-08-2023 Google IO Cairo 23
What’s new in Kotlin 12-08-2023 Google IO Cairo 23
Ahmed Nabil66 views
CloudStack Object Storage Framework & DemoCloudStack Object Storage Framework & Demo
CloudStack Object Storage Framework & Demo
ShapeBlue109 views
Orbyfy Grid e-Services_vFx.pdfOrbyfy Grid e-Services_vFx.pdf
Orbyfy Grid e-Services_vFx.pdf
Orbyfy19 views
Asterisk UpdateAsterisk Update
Asterisk Update
OpenDireito15 views
Future of Virtual realityFuture of Virtual reality
Future of Virtual reality
mdpavel413 views
GDSC23 SAC - Info Session GDSC.pptxGDSC23 SAC - Info Session GDSC.pptx
GDSC23 SAC - Info Session GDSC.pptx
SAC221 views
DigitalWisers Onepager.pdfDigitalWisers Onepager.pdf
DigitalWisers Onepager.pdf
Mustafa Kuğu165 views
Doorsvision-The-Future-of-Smart-Communities gama adj.pdfDoorsvision-The-Future-of-Smart-Communities gama adj.pdf
Doorsvision-The-Future-of-Smart-Communities gama adj.pdf
Mustafa Kuğu84 views
Artificial Intelligence (AI).pptxArtificial Intelligence (AI).pptx
Artificial Intelligence (AI).pptx
SharifulShishir49 views

Real Time Application Defenses - The Reality of AppSensor & ESAPI

  1. Real Time Application Defenses The Reality of AppSensor & ESAPI Michael Coates Mozilla - Web Security Lead mcoates@mozilla.com OWASP AppSecUSA The OWASP Foundation http://www.owasp.org Saturday, September 11, 2010 1

  2. Real Time Application Defenses The Reality of AppSensor & ESAPI Michael Coates Web Security Lead - Mozilla Saturday, September 11, 2010 2

  3. Agenda • Power of Application Intrusion Detection • ESAPI & AppSensor • Release of AppSensor-Tutorial • AppSensor @ Mozilla Saturday, September 11, 2010 3

  4. AppSensor Team AppSensor Core Team Contributors Ryan Barnett Simon Bennetts Michael Coates August Detlefsen Randy Janida Jim Manico John Melton Giri Nambari Eric Sheridan John Stevens Colin Watson Kevin Wall Saturday, September 11, 2010 4

  5. Power of Application Intrusion Detection Saturday, September 11, 2010 5

  6. Status Quo Defense Capabilities • Build secure & hope for the best • Would you know if your application was currently under attack? • How confident are you against a skilled attacker? • Is your attack alert system based on watching the NYT for a front page article? Saturday, September 11, 2010 6

  7. Attack Points: Requests, Auth, Session Saturday, September 11, 2010 7

  8. Attack Points: Access Control Saturday, September 11, 2010 8

  9. Attack Points: Input Validation Saturday, September 11, 2010 9

  10. Attack Points: Business Logic Saturday, September 11, 2010 10

  11. Numerous Attack Points Saturday, September 11, 2010 11

  12. Defend with: Detection Points Saturday, September 11, 2010 12

  13. Defend with: AppSensor Integration • Detection Points Report to AppSensor • AppSensor Integrates w/User Store • Enables Response Actions against User Object Saturday, September 11, 2010 13

  14. Detect & Eliminate Threat • Strong control of authenticated portion • Lockout user • Disable account • Effective attack reporting for unauthenticated portion Saturday, September 11, 2010 14

  15. AppSensor Eliminates Threats Saturday, September 11, 2010 15

  16. AppSensor Eliminates Threats Block attacker & minimize threat Saturday, September 11, 2010 16

  17. Current Approach !"#$%"& '"()*+& ,--.)#/01+& 213-%13)("& Build secure & hope for the best Saturday, September 11, 2010 17

  18. AppSensor Approach !""#$%&'() *$+$%&$) Detect & eliminate threats Build as secure as possible Defend against the unknown #$,-($) *$&./%) !""0.,12'%) 3'4"('4.&$) Add layer of attack detection & prevention Saturday, September 11, 2010 18

  19. Enhancing App Security Build Secure Security Code Review & Integrate Security into SDLC Penetration Testing Actively Defend Automated Response Attack Detection Application Trend to Quarantine Points Anomaly Detection Attackers Saturday, September 11, 2010 19

  20. Why This Approach? • AppSensor - in the app, full user object interaction, full app knowledge • WAF - generic attack detection • Log Analysis - slow, reactive, ineffective Saturday, September 11, 2010 20

  21. ESAPI & AppSensor Saturday, September 11, 2010 21

  22. Integration Status • appsensor.jar ready to use w/ESAPI • AppSensor developer guide available http://www.owasp.org/index.php/AppSensor_Developer_Guide • AppSensor + ESAPI bundle planned for ESAPI 2.0 rc8 Saturday, September 11, 2010 22

  23. ESAPI / AppSensor Adoption • AppSensor • ModSecurity • Major Insurance Company - AppSensor standard for all new web apps • Mozilla - AppSensor detection integrated into web apps • ESAPI - American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone(McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, Nationwide Insurance, U.S. Navy - SPAWAR, The World Bank, SANS Institute http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Home Saturday, September 11, 2010 23

  24. AppSensor.jar • Drop-in support for ESAPI • 3 Line configuration in ESAPI.properties • Define policies in appsensor.properties • Add detection points in code (2-3 lines each) • Done! Saturday, September 11, 2010 24

  25. How Easy To Setup? ESAPI.IntrusionDetector=org.owasp.appsensor.intrusiondetection.AppSensorIntrusionDetector ESAPI.properties IntrusionDetector.X1.count=2 IntrusionDetector.X1.interval=35 IntrusionDetector.X1.actions=log,logout,disableComponentForUser IntrusionDetector.X1.disableComponentForUser.duration=30 IntrusionDetector.X1.disableComponentForUser.timeScale=m appsensor.properties if (AttackDetected){ new AppSensorException( “X1”,"User Error Message", "Logged Error Message" + "("+ request.getRequestURI()+ ")" + " user (" + ESAPI.authenticator().getCurrentUser().getAccountName() + ")"); } code Saturday, September 11, 2010 25

  26. Detecting Attacks • 50+ attack detection points and growing • Grouped into logical areas • Request, Auth, Input, Access etc • Most have nearly zero false positive rate • POST When Expecting GET • Evading Presentation Access Control Through Custom POST • Attempt to Invoke Unsupported HTTP Method http://www.owasp.org/index.php/AppSensor_DetectionPoints Saturday, September 11, 2010 26

  27. Release of AppSensor-Tutorial Saturday, September 11, 2010 27

  28. AppSensor-Tutorial http://code.google.com/p/appsensor/ source/browse/#svn/trunk/AppSensor- Tutorial Saturday, September 11, 2010 28

  29. AppSensor-Tutorial • Lesson Based Application • Concise & Simple Demo of ESAPI & AppSensor Code • Purely JSP w/Java libs Saturday, September 11, 2010 29

  30. Lesson Format • Simple form with text input or drop down • Malicious data checked by ESAPI or AppSensor • Detection point listed with response actions / intrusion count Saturday, September 11, 2010 30

  31. Lesson 1: Validate w/ ESAPI Validator.HTTPParameterName= ^[a-zA-Z0-9_]{0,32}$ Validator.HTTPParameterValue= ^[a-zA-Z0-9.-/+=_ ]*$ ESAPI.properties String dataResult = ""; try { dataResult = ESAPI.httpUtilities() .getParameter(request,"attackstring"); IntrusionDetector.Total.count=3 } catch (ValidationException e){ IntrusionDetector.Total.interval=30 //ESAPI Validation Exception //Processed by AppSensor IntrusionDetector.Total.actions=logout // Automatically } lesson1.jsp appsensor.properties Saturday, September 11, 2010 31

  32. Lesson 2 Validate w/ AppSensor • Use AppSensor AttackDetectorUtils.verifyXSSAttack • Customizable black list approach (regex) • Catch obvious XSS probes • alert(document.cookie) • <img src=.*script • <iframe>.*</iframe> Saturday, September 11, 2010 32

  33. Lesson 2 - The Code dataResult = request.getParameter("attackstring"); boolean attackDetected = org.owasp.appsensor.AttackDetectorUtils.verifyXSSAttack(dataResult); if (attackDetected) { dataResult = "Exception Caught By ESAPI Validation"; new AppSensorException( appsensorID,"Invalid Input per AppSensor Detection", "Attacker is sending input that violates defined whitelists" + "("+ request.getRequestURI()+ ")" + " user (" + ESAPI.authenticator().getCurrentUser().getAccountName() + ")"); dataResult = "removed"; } lesson2.jsp Saturday, September 11, 2010 33

  34. Lesson 2 appsensor.properties • Define regex black xss.attack.patterns= "><script>, list of xss patterns script.*document.cookie, <script>, • Black list ok for <IMG.*SRC.*=.*script, attack detection <iframe>.*</iframe> ... • Define response IntrusionDetector.IE1.count=3 thresholds as IntrusionDetector.IE1.interval=30 normal IntrusionDetector.IE1.actions=log,logout appsensor.properties Saturday, September 11, 2010 34

  35. lesson 3 Per User Page Blocking • Disable user’s access to the page • Good solution for sensitive operations - transfer funds, update address • Just affects malicious user • Simple with AppSensor Saturday, September 11, 2010 35

  36. lesson 3 - The Code ASUser user = APPSENSOR.asUtilities().getCurrentUser(); boolean isActive = AppSensorServiceController.isServiceActiveForSpecificUser (request.getRequestURI(),user); if (!(isActive)){ %>This page has been disabled<% }else{ //display normal page lesson3.jsp Saturday, September 11, 2010 36

  37. Lesson 3 appsensor.properties • Define normal thresholds • Define how long page is disabled for user (30 minutes) IntrusionDetector.IE12.count=2 IntrusionDetector.IE12.interval=35 IntrusionDetector.IE12.actions=disableComponentForUser IntrusionDetector.IE12.disableComponentForUser.duration=30 IntrusionDetector.IE12.disableComponentForUser.timeScale=m appsensor.properties Saturday, September 11, 2010 37

  38. Lesson 4 Full Feature Blocking • Block access to all users • Possible for critical pages • Better to shutoff page and investigate than Saturday, September 11, 2010 38

  39. lesson 4 - The Code boolean isActiveForEveryone = AppSensorServiceController.isServiceActive (request.getRequestURI()); if (!(isActiveForEveryone)){ %>Page has been disabled for everyone<% } lesson4.jsp IntrusionDetector.IE12.actions=disableComponent IntrusionDetector.IE12.disableComponent.duration=10 appsensor.properties Saturday, September 11, 2010 39

  40. Additional Response Capabilities http://www.owasp.org/index.php/ File:Owasp-appsensor-responses.pdf Saturday, September 11, 2010 40

  41. Additional Response Capabilities Saturday, September 11, 2010 41

  42. AppSensor @ Mozilla Saturday, September 11, 2010 42

  43. Mozilla Threat Profile • Lots of users • Many web apps • Apps constantly growing & changing • All code open source Saturday, September 11, 2010 43

  44. Mozilla Services • Firefox Sync • Millions of users • Service based app • Stores encrypted user data • Example detection points • Credential mismatch within URL request • Tampering with reset code • Account delete attempt without password Saturday, September 11, 2010 44

  45. What to Capture • Threat model attack scenarios • Access Control Failures • Account lockouts • Failed CAPTCHA • Monitor trends of interesting events • New privileged account created • Password reset requested • Account creations • Sensitive bug access • New attachment Saturday, September 11, 2010 45

  46. SIM Deployment Saturday, September 11, 2010 46

  47. Common Event Format (CEF) • Emerging standard on logging format CEF:0|Mozilla|MozFooApp|1.0 |ACE0|Access Control Violation|8|rt=01 • Easily parsed by 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=1.2.3.4 security dst=2.3.4.5 requestMethod=POST request=http://foo.mozilla.org/foo/ integration abc.php?a=b cs1Label=requestClientApplication manager (sim) cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/ 20100316 Firefox/3.6.2 msg=Additional Data here • Enables AppSensor Logging Saturday, September 11, 2010 47

  48. Detection Point w/CEF if (!$authdb->authenticate_user(fix_utf8_encoding($auth_pw))) ! ! { ! ! ! if ($cef) ! ! ! { ! ! ! ! $message = new CommonEventFormatMessage( WEAVE_CEF_AUTH_FAILURE, 'User Authentication Failed', 3, ! ! ! array('username' => $url_user, 'requestip' => get_source_ip())); ! ! ! ! $cef->logMessage($message); ! ! ! } ! ! ! report_problem('Authentication failed', '401'); } http://hg.mozilla.org/services/ Saturday, September 11, 2010 48

  49. Data Analysis Saturday, September 11, 2010 49

  50. Trend Analysis Saturday, September 11, 2010 50

  51. AppSensor - More Info http://www.owasp.org/index.php/ Category:OWASP_AppSensor_Project http://code.google.com/p/appsensor/ owasp-appsensor-project@lists.owasp.org mcoates@mozilla.com michael.coates@owasp.org http://michael-coates.blogspot.com @_mwc Saturday, September 11, 2010 51