AppSensor Response to Log Monitoring

As you may have noticed from the AppSensor project and the recent OWASP EU presentation, I'm not a big believer in manual log analysis to detect and block malicious activity. Here's my response to a recent article on Dark Reading recommending log analysis.

The article:
Tippett: Use Application Logs To Catch Data Breaches

My response:

There are several major barriers to utilizing logs to prevent data breaches.
1. Most systems are not properly configured to capture all of the required information to detect an attack.
2. Humans are required to manually review log data. This either requires a large number of skilled humans to monitor logs or requires automation which loses the benefit of human interpretation. In addition, the number of log entries generated by an application can grow to incredible numbers very quickly making it difficult to quickly identify malicious patterns.
3. Even if the log data is complete and the analyzers notice the events, they must detect the attacker and stop them before they are successful. As the article points out, it often takes an attacker less than 1 hour.

Recognizing this as a substantial challenge, the Open Web Application Security Project (OWASP) is developing guidance for a solution named AppSensor. Instead of attempting to solve this problem with log analysis, let’s move into the application and detect the attackers there. By utilizing detection points with low false positive rates, it is possible to detect attackers probing for weaknesses in the application. The detection mechanism ties into a response agent which can automatically lock an account after the user is deemed malicious. This approach requires no human analysis or intervention. Attackers are automatically identified and blocked.

The AppSensor approach greatly differs from traditional WAF or network based IDS devices because it is actually built into the application itself. This approach allows the detection agent to understand attacks against business logic and access control – areas traditionally ignored by products.

Everything at OWASP is free and open. Check out AppSensor if this sounds interesting.
http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project

-Michael Coates

OWASP AppSec Poland in Review

I just got back from OWASP Poland. I was there for a week and taught the 2 day advanced course class, attended 2 days of OWASP talks and gave my own presentation on Thursday.

Just wanted to let everyone know that the conference was a huge success. I was very impressed with the presentations and the planning/delivery of the conference. Having now attended a few OWASP conferences and a several other popular security conferences, I would definitely recommend an OWASP conference over the others any day.

In addition to the presentations, it was great to talk with others that focus on app sec all day too. There were some great people there and it’s always good to pick their brains a bit too.

The presentations are all online now (Day 1, Day 2). I’d recommend you take a look at a few of them.

• OWASP Live CD (PPT) – Matt Tesauro
Whenever attempting to run a new OWASP tool, start here. Its probably already installed and working.

• Threat Modeling (PPT) - John Steven
Always good to get some more feedback and consideration on how to increase the quality of threat diagrams for architecture type assessments.

• O2 - Advanced Source Code Analysis Toolkit - Dinis Cruz
No slides available, but this talk was really interesting. Dinis is moving towards a tool which blends static and run time analysis via breakpoints. The demo showed some very interesting call flow graphs to help analyze data from source to sink.

• The Software Assurance Maturity Model (SAMM) (PPT) - Pravir Chandra
Definitely should take a look at SAMM if you haven’t already.

• HTTP Parameter Pollution (PDF) - Luca Carettoni, & Stefano Di Paola
This was an interesting talk. It could have used a little more organization and clarity to drive home the root issue. However, what I took away was that different application servers handle the presence of duplicate URL parameters differently (ie http://somesite.com?var1=abcd&va1=efgh).

Some app servers take the first, others take the second, and some concatenate. This can be used maliciously in two different ways.
1. Bypass URL filtering put in place by WAFs (ie http://somesite.com?var1=Select user,pass,&var1=dob From USERS).
2. It can be used to potentially overwrite statically defined URL arguments if a dispatcher model is used in code. Ie

protected void doGet(HttpServletRequest request, HttpServletResponse response){
//dispatch request
String URL="http://internalPage.com/search?role=user&"+request.getParameter("query");
...

Which would be attacked by the attacker sending the following (attacker adds bold text)
http://somePublicPage.com/searchDispatch?query=abc&role=admin


• Real Time Defenses against Application Worms and Malicious Attackers (PPT) - Michael Coates
My talk went very well. Feel free to take a look at the slides. Lots of good things in store for AppSensor. I’m planning to make some big updates to the book and get a new version out in the next few months. ESAPI integration is also in the plans.

I'm always looking for new contributors, reviewers, and feedback. If you're interested post to the mailing list or shoot me an email.

-Michael Coates

My Picks for OWASP AppSec Europe

Here are my picks for OWASP AppSec Europe. (LinkedIn event)

• OWASP Live CD: An open environment for Web Application Security Matt Tesauro,
• OWASP Application Security Verification Standard (ASVS) Project Dave Wichers
• Web Application Harvesting Esteban Ribičić
• The Truth about Web Application Firewalls: What the vendors do not want you to know Wendel Guglielmetti Henrique
• Advanced SQL injection exploitation to operating system full control Bernardo Damele Assumpcao Guimaraes
• O2 - Advanced Source Code Analysis Toolkit Dinis Cruz
• Beyond security principles approximation in software architectures Bart De Win
• w3af, A framework to 0wn the web Andrés Riancho,
• CSRF: the nightmare becomes reality? Lieven Desmet,
• Advanced Code Review Techniques - How to Find Needles in the Haystack Efficiently Siddharth Anbalahan
• Real Time Defenses against Application Worms and Malicious Attackers, Michael Coates, :)
• Can an accessible web application be secure? Assessment issues for security testers, developers and auditors Colin Watson

Should be an awesome event. Looking forward to seeing everyone there!

-Michael Coates

WebScarab Tip of the Day

If you are using WebScarab and something on the page keeps breaking then you may be having an issue with WebScarab's "Reveal hidden fields in HTML Pages". Try turning that off and repeating the action. I've seen this be an issue a few different times with JavaScript and AJAX.

Proxy -> Miscellaneous



The reason this issue occurs is because, when reveal hidden fields is enabled, WebScarab will rewrite some of the page. I imagine WebScarab is getting confused with some content in JavaScript or AJAX and thats whats causing the problem. The reveal hidden fields feature actually works quite well, I've only seen this issue a few times.

Rogan, next time I see it I'll send you a bug report: :) I know, just commenting on the issue without a bug report doesn't help you fix the problem.

-Michael Coates

Application Worms at OWASP Europe

OWASP AppSec Europe is just around the corner. In just a short week's time security experts from around the world will converge in Poland to discuss cutting edge application security topics.

On Thusday, May 14, I'll be presenting "Real Time Defenses against Application Worms and Malicious Attackers". Here's a quick preview:

- View a live application worm and execute it in an application. If this was our app, how could we have identified this worm? How could we have stopped it? Could we do this in real time without bringing down our site?
- We'll also dissect the application worm to see exactly how it works. It only takes a few lines of code to create a worm which will propagate throughout a site and infect all users.
- Discuss methods for identifying attackers in our applications. What sort of actions are definitely malicious? How can we identify attackers with a low false positive rate? What should we do after we detect an attacker?

If you're interested in application worms, real time defense systems or have responsibilities for high profile website (ie the hackers target you), then I encourage you to attend.

Details
Real Time Defenses against Application Worms and Malicious Attackers
Michael Coates, Aspect Security

Day 2, Thursday, May 14
14:50-15:30
Track2 : Room 2


-Michael Coates