AppSensor Guide Application-Specific Real-Time Attack Detection & Response Version 48 (Draft)


Chapter 22 : Light Touch Retrofit



Download 11.95 Mb.
Page7/13
Date28.05.2018
Size11.95 Mb.
#51990
1   2   3   4   5   6   7   8   9   10   ...   13

Chapter 22 : Light Touch Retrofit

Introduction


In this demonstration implementation, an application has been instrumented with custom-written code to show how AppSensor functionality can be retrofitted to an existing project. The implementation does not make use of any AppSensor Project’s library code (as described in the previous two chapters above).

The application used in this example is the bulletin board application phpBB115, released under the GNU General Public License116. The implementation was performed in a manner that effected as little of the original code as possible.



This demonstration implementation does not form part of the core development efforts within the OWASP AppSensor Project.

Description


Detection points were added by the additional of minimal additional PHP code without altering the phpBB source code. Additional fields were added to some of the application’s database tables together with new tables for the event and attack stores. An existing phpBB feature which allows “banning” of submissions by individual users was utilized as one response by inserting records into the relevant database table; a second response was added external to the code base by using the host firewall to block IP addresses.

  1. Schematic Arrangement of Example Light Touch Retrofit to Existing Code


AppSensor scope


The following detection point and response action categories are included:

  1. List of Detection Point Categories Implemented in this Example Light Touch Retrofit

Category

Detection Point

Description

ID

Title

Authentication Exception

AE1

Use of Multiple Usernames




AE2

Multiple Failed Passwords

Access Control Exception

ACE3

Force Browsing Attempt

Input Exception

IE2

Violation Of Implemented White Lists

IE3

Violation Of Implemented Black Lists

File IO Exception

FIO2

Detect Large Number of File Uploads

Honey Trap

HT2

Honey Trap Resource Requested




HT3

Honey Trap Data Used

User Trend Exception

UT4

Frequency of Feature Use



  1. List of Response Categories Implemented in this Example Light Touch Retrofit

Category

Response

Type

Description

Code

Description

Active

Application functionality reduced for user(s)

ASR-I

Function Disabled

ASL-L

Application Disabled

In this case, the response action function disabling utilizes phpBB’s inherent “block” functionality and application disabling is accomplished by blocking using the host network firewall level. In this implementation, it was accomplished by using the “netsh advfirewall firewall” command117 for Windows Firewall, but iptables could be used on *nix systems, and similarly for other operating systems; an external network device could also be used.

Source code


The phpBB bulletin board application can be downloaded at:

https://www.phpbb.com/downloads/

PHPIDS as a blacklist input exception detection point. PHPIDS, default_filter.xml and converter.php can be downloaded from:

https://phpids.org/downloads/

The additional database SQL scripts and PHP files can be downloaded at:

???TBC??? [check]

This is proof of concept code and is neither optimized nor production-ready.

Implementation


Developer notes are included within the file containing the source code.

Considerations


The PHP implementation of the event manager needs permissions to perform real-time changes to the host-based firewall. This could be changed to signal a separate network firewall instead.

This implementation is no longer under development.


Related implementations


None.


Download 11.95 Mb.

Share with your friends:
1   2   3   4   5   6   7   8   9   10   ...   13




The database is protected by copyright ©ininet.org 2024
send message

    Main page