{"id":307,"date":"2009-11-12T14:55:53","date_gmt":"2009-11-12T19:55:53","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=307"},"modified":"2009-11-12T16:12:33","modified_gmt":"2009-11-12T21:12:33","slug":"defending-yourself-integrating-real-time-defenses-into-online-applications","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/defending-yourself-integrating-real-time-defenses-into-online-applications\/","title":{"rendered":"Defending Yourself: Integrating Real Time Defenses into Online Applications"},"content":{"rendered":"<p>This presentation was by Michael Coates, the AppSensor Project Lead.\u00a0 Michael works as a Senior Application Security Engineer at Aspect Security.\u00a0 AppSensor is a real time defense system with the goal being to protect an application by detecting who is bad and getting rid of them before they do bad things.\u00a0 My notes from this session are below:<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Agenda<\/strong><\/span><\/p>\n<ul>\n<li>AppSensor Project<\/li>\n<li>Malicious Attackers<\/li>\n<li>Application Worms<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Detecting Attacks the Right Way<\/strong><\/span><\/p>\n<ul>\n<li>Integration\n<ul>\n<li>Detect INSIDE the application<\/li>\n<li>Understand business logic<\/li>\n<\/ul>\n<\/li>\n<li>Effectiveness\n<ul>\n<li>Minimal false positives<\/li>\n<li>Immediate response<\/li>\n<\/ul>\n<\/li>\n<li>Effort\n<ul>\n<li>Automatic detection<\/li>\n<li>No manual work required<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Detection Outside the Application (WAF)<br \/>\n<\/strong><\/span><\/p>\n<ul>\n<li>Application context not available<\/li>\n<li>No concept of access violations<\/li>\n<li>Custom application + Generic Solution != success<\/li>\n<li>Ex: Changing the account ID in \/viewAccount?id=1002<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Inside the Application is Best<\/strong><\/span><\/p>\n<ul>\n<li>Understand application &amp; business context<\/li>\n<li>Integration with authentication &amp; user store<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>How Does AppSensor Protect the App?<\/strong><\/span><\/p>\n<ul>\n<li>Take many requests for an attacker to find a vulnerability<\/li>\n<li>Takes fewer requests by AppSensor to determine that the user is malicious<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AppSensor is Faster than Attacker<\/strong><\/span><\/p>\n<ul>\n<li>User identified as malicious and blocked before a vulnerability is found<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Categories of Detection<\/strong><\/span><\/p>\n<ul>\n<li>Request<\/li>\n<li>Authentication<\/li>\n<li>Access Control<\/li>\n<li>Session<\/li>\n<li>Input<\/li>\n<li>Encoding<\/li>\n<li>Command Injection<\/li>\n<li>File IO<\/li>\n<li>User Trend<\/li>\n<li>System Trend<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Attack Detection: Real vs Cyber World<\/strong><\/span><\/p>\n<ul>\n<li>Why do bank robbers get caught?<\/li>\n<li>Why don&#8217;t hackers get caught?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Let&#8217;s Change Things &#8211; Applications Should&#8230;<\/strong><\/span><\/p>\n<ul>\n<li>Detect attacks<\/li>\n<li>Understand normal use vs suspicious use<\/li>\n<li>Instantly identify attackers<\/li>\n<li>Shutdown attackers in real time<\/li>\n<li>Modify application accessibility for defense<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Detecting Malicious Users<\/strong><\/span><\/p>\n<ul>\n<li>Many malicious attacks are obvious and not &#8220;user error&#8221;\n<ul>\n<li>POST when expecting GET<\/li>\n<li>Tampering with headers<\/li>\n<li>Submissions of XSS attack<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Detecting Malicious Users<\/strong><\/span><\/p>\n<ul>\n<li>Bypassing client side input validation<\/li>\n<li>Transaction using functionality not visible to user role<\/li>\n<li>Multiple access control violations<\/li>\n<li>Change of user agent midsession<\/li>\n<li>Double encoded data<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>The Code<\/strong><\/span><\/p>\n<ul>\n<li>Leverages ESAPI!<\/li>\n<li>3 lines to setup AppSensor<\/li>\n<li>2 lines per AppSensor detection point<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Setting up AppSensor<\/strong><\/span><\/p>\n<ol>\n<li>Configure response action object (log logout, account lock)<\/li>\n<li>Create AppSensorIntrusionDetector with response action object<\/li>\n<li>Set ESAPI intrusion detector<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>Defining Response Policies<\/strong><\/span><\/p>\n<ul>\n<li>ESAPI.properties file<\/li>\n<li>Define\n<ul>\n<li>Threshold count<\/li>\n<li>Interval of events<\/li>\n<li>Response action<\/li>\n<li>Per exception type or aggregate<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>2 Lines to Use AppSensor<\/strong><\/span><\/p>\n<ol>\n<li>Check for &#8220;maliciousness&#8221;<\/li>\n<li>Create new AppSensorException<\/li>\n<\/ol>\n<p><span style=\"text-decoration: underline;\"><strong>Understanding the Intrusion Exception<\/strong><\/span><\/p>\n<p>new AppSensorIntrusion Exception(<\/p>\n<ul>\n<li>request.getServletPath(),<\/li>\n<li>&#8220;ACE1&#8221;,<\/li>\n<li>&#8220;User Message&#8221;,<\/li>\n<li>&#8220;Direct object tampering with &#8230;&#8221;<\/li>\n<\/ul>\n<p>);<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>AppSensor vs Scanners<\/strong><\/span><\/p>\n<ul>\n<li>Tools attempt 10,000s of generic attacks<\/li>\n<li>AppSensor stops automated scans nearly instantly<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AppSensor vs Human Attackers<\/strong><\/span><\/p>\n<ul>\n<li>Very difficult for attacker<\/li>\n<li>Requires advanced obfuscation for each attack<\/li>\n<li>Multiple probes == detection<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Application Worms on the Rise<\/strong><\/span><\/p>\n<ul>\n<li>Twitter Worm<\/li>\n<li>MySpace Samy WOrm<\/li>\n<li>Huge damages for site\n<ul>\n<li>Remediation<\/li>\n<li>Cleanup<\/li>\n<li>Bad PR<\/li>\n<li>Infected Users<\/li>\n<\/ul>\n<\/li>\n<li>Leverage XSS and CSRF<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Detecting\/Preventing an Application Worm<\/strong><\/span><\/p>\n<ul>\n<li>Can you find\/fix all XSS?<\/li>\n<li>Pattern matching easily foiled<\/li>\n<li>Block the common factor!\n<ul>\n<li>Worms use XSS and CSRF for propagation<\/li>\n<li>1000% usage increase -&gt; problem<\/li>\n<li>Our example: updateProfile, updateStatus, updateName<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Case Study: Samy<\/strong><\/span><\/p>\n<ul>\n<li>MySpace Application Worm<\/li>\n<li>XSS worm embedded in User Profile<\/li>\n<li>Exponential Growth of Samy&#8217;s friends<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Samy vs AppSensor<\/strong><\/span><\/p>\n<ul>\n<li>AppSensor detects uptick in addFriend usage<\/li>\n<li>Compares against trended info<\/li>\n<li>Automatic response initiated\n<ul>\n<li>Alert admin +200% add friend usage<\/li>\n<li>Alerts admin 2nd time +500% add friend usage<\/li>\n<li>Automatically shuts down add friend feature<\/li>\n<\/ul>\n<\/li>\n<li>Result\n<ul>\n<li>Worm contained<\/li>\n<li>Add friend temporarily disabled<\/li>\n<li>Site stays up<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Benefits of Trend Monitoring<\/strong><\/span><\/p>\n<ul>\n<li>Detection of\n<ul>\n<li>Application worms<\/li>\n<li>Scripted attacks\/probing<\/li>\n<li>CSRF attacks<\/li>\n<\/ul>\n<\/li>\n<li>Alerting of excessive activity<\/li>\n<li>Selective feature shutdown for overall stability<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AppSensor in Action<\/strong><\/span><\/p>\n<ul>\n<li>Demo social networking app<\/li>\n<li>Defended with AppSensor trend monitoring<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>What&#8217;s Under the Hood?<\/strong><\/span><\/p>\n<ul>\n<li>REST communication between AppSensor &amp; App<\/li>\n<li>Support Response Actions (warn user, logout user, disable user, etc)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AppSensor Brain<\/strong><\/span><\/p>\n<ul>\n<li>Drools &#8211; Rule Based System<\/li>\n<li>Support for complex rule sets &#8211; much more than just counting feature usage<\/li>\n<li>Evaluates objects in Drools memory<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>The Exploit<\/strong><\/span><\/p>\n<ul>\n<li>XSS infects victim&#8217;s &#8220;Status&#8221; with worm<\/li>\n<li>CSRF adds victim as friend of Charlie<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Defend with AppSensor<\/strong><\/span><\/p>\n<ul>\n<li>AppSensor Policy\n<ul>\n<li>Notify admin if events &gt; 5<\/li>\n<li>Disable service if events &gt; 10<\/li>\n<\/ul>\n<\/li>\n<li>AppSensor notices anomaly &#8211; alerts admin<\/li>\n<li>After 10 events AppSensor disables just that feature of the site<\/li>\n<li>Users protected, worm contained, site stays up<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Trend Monitoring Benefits<\/strong><\/span><\/p>\n<ul>\n<li>Auto detection of attacks<\/li>\n<li>&#8230;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Michael Coates, the AppSensor Project Lead.\u00a0 Michael works as a Senior Application Security Engineer at Aspect Security.\u00a0 AppSensor is a real time defense system with the goal being to protect an application by detecting who is bad and getting rid of them before they do bad things.\u00a0 My notes from this [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[307,4],"tags":[201,322,323,324,325,74,160,102],"class_list":["post-307","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-dc-2009","category-web-app-sec","tag-applications","tag-appsensor","tag-coates","tag-defenses","tag-detection","tag-firewall","tag-waf","tag-web"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-4X","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=307"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/307\/revisions"}],"predecessor-version":[{"id":315,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/307\/revisions\/315"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}