Introduction
In this demonstration implementation, an application has been instrumented with custom-written code to show how AppSensor functionality can be retrofitted to an existing project. The implementation does not make use of any AppSensor Project’s library code (as described in the previous two chapters above).
The application used in this example is the bulletin board application phpBB115, released under the GNU General Public License116. The implementation was performed in a manner that effected as little of the original code as possible.
This demonstration implementation does not form part of the core development efforts within the OWASP AppSensor Project.
Description
Detection points were added by the additional of minimal additional PHP code without altering the phpBB source code. Additional fields were added to some of the application’s database tables together with new tables for the event and attack stores. An existing phpBB feature which allows “banning” of submissions by individual users was utilized as one response by inserting records into the relevant database table; a second response was added external to the code base by using the host firewall to block IP addresses.
Schematic Arrangement of Example Light Touch Retrofit to Existing Code
AppSensor scope
The following detection point and response action categories are included:
List of Detection Point Categories Implemented in this Example Light Touch Retrofit
Category
|
Detection Point
|
Description
|
ID
|
Title
|
Authentication Exception
|
AE1
|
Use of Multiple Usernames
|
|
AE2
|
Multiple Failed Passwords
|
Access Control Exception
|
ACE3
|
Force Browsing Attempt
|
Input Exception
|
IE2
|
Violation Of Implemented White Lists
|
IE3
|
Violation Of Implemented Black Lists
|
File IO Exception
|
FIO2
|
Detect Large Number of File Uploads
|
Honey Trap
|
HT2
|
Honey Trap Resource Requested
|
|
HT3
|
Honey Trap Data Used
|
User Trend Exception
|
UT4
|
Frequency of Feature Use
|
List of Response Categories Implemented in this Example Light Touch Retrofit
Category
|
Response
|
Type
|
Description
|
Code
|
Description
|
Active
|
Application functionality reduced for user(s)
|
ASR-I
|
Function Disabled
|
ASL-L
|
Application Disabled
|
In this case, the response action function disabling utilizes phpBB’s inherent “block” functionality and application disabling is accomplished by blocking using the host network firewall level. In this implementation, it was accomplished by using the “netsh advfirewall firewall” command117 for Windows Firewall, but iptables could be used on *nix systems, and similarly for other operating systems; an external network device could also be used.
Source code
The phpBB bulletin board application can be downloaded at:
https://www.phpbb.com/downloads/
PHPIDS as a blacklist input exception detection point. PHPIDS, default_filter.xml and converter.php can be downloaded from:
https://phpids.org/downloads/
The additional database SQL scripts and PHP files can be downloaded at:
???TBC??? [check]
This is proof of concept code and is neither optimized nor production-ready.
Implementation
Developer notes are included within the file containing the source code.
Considerations
The PHP implementation of the event manager needs permissions to perform real-time changes to the host-based firewall. This could be changed to signal a separate network firewall instead.
This implementation is no longer under development.
None.
Share with your friends: |