real time application defenses - the reality of appsensor & esapi
DESCRIPTION
OWASP AppSecUSA PresentationTRANSCRIPT
![Page 1: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/1.jpg)
The OWASP Foundation http://www.owasp.org
Real Time Application DefensesThe Reality of AppSensor & ESAPI
Michael CoatesMozilla - Web Security [email protected]
OWASP AppSecUSA
1Saturday, September 11, 2010
![Page 2: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/2.jpg)
Real Time Application Defenses
The Reality of AppSensor & ESAPI
Michael Coates Web Security Lead - Mozilla
2Saturday, September 11, 2010
![Page 3: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/3.jpg)
Agenda
• Power of Application Intrusion Detection
• ESAPI & AppSensor
• Release of AppSensor-Tutorial
• AppSensor @ Mozilla
3Saturday, September 11, 2010
![Page 4: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/4.jpg)
AppSensor Team
AppSensor Core Team
Michael Coates
John Melton
Colin Watson
ContributorsRyan BarnettSimon BennettsAugust DetlefsenRandy JanidaJim ManicoGiri NambariEric SheridanJohn StevensKevin Wall
4Saturday, September 11, 2010
![Page 5: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/5.jpg)
Power of Application Intrusion Detection
5Saturday, September 11, 2010
![Page 6: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/6.jpg)
Status Quo Defense Capabilities
• Build secure & hope for the best
• Would you know if your application was currently under attack?
• How confident are you against a skilled attacker?
• Is your attack alert system based on watching the NYT for a front page article?
6Saturday, September 11, 2010
![Page 7: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/7.jpg)
Attack Points: Requests, Auth, Session
7Saturday, September 11, 2010
![Page 8: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/8.jpg)
Attack Points: Access Control
8Saturday, September 11, 2010
![Page 9: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/9.jpg)
Attack Points: Input Validation
9Saturday, September 11, 2010
![Page 10: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/10.jpg)
Attack Points: Business Logic
10Saturday, September 11, 2010
![Page 11: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/11.jpg)
Numerous Attack Points
11Saturday, September 11, 2010
![Page 12: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/12.jpg)
Defend with: Detection Points
12Saturday, September 11, 2010
![Page 13: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/13.jpg)
Defend with:AppSensor Integration• Detection Points
Report to AppSensor
• AppSensor Integrates w/User Store
• Enables Response Actions against User Object
13Saturday, September 11, 2010
![Page 14: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/14.jpg)
Detect & Eliminate Threat
• Strong control of authenticated portion
• Lockout user
• Disable account
• Effective attack reporting for unauthenticated portion
14Saturday, September 11, 2010
![Page 15: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/15.jpg)
AppSensor Eliminates Threats
15Saturday, September 11, 2010
![Page 16: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/16.jpg)
AppSensor Eliminates Threats
Block attacker & minimize threat
16Saturday, September 11, 2010
![Page 17: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/17.jpg)
Current Approach
!"#$%"&'"()*+&
,--.)#/01+&213-%13)("&
Build secure & hope for the best
17Saturday, September 11, 2010
![Page 18: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/18.jpg)
AppSensor Approach
!""#$%&'()*$+$%&$)
#$,-($)*$&./%)
!""0.,12'%)3'4"('4.&$)
Detect & eliminate threatsDefend against the unknownBuild as secure as possible
Add layer of attack detection & prevention
18Saturday, September 11, 2010
![Page 19: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/19.jpg)
Enhancing App Security
Actively Defend Attack Detection
Points Application Trend
Anomaly Detection
Automated Response to Quarantine
Attackers
Build Secure
Integrate Security into SDLC Security Code Review & Penetration Testing
19Saturday, September 11, 2010
![Page 20: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/20.jpg)
Why This Approach?
• AppSensor - in the app, full user object interaction, full app knowledge
• WAF - generic attack detection
• Log Analysis - slow, reactive, ineffective
20Saturday, September 11, 2010
![Page 21: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/21.jpg)
ESAPI & AppSensor
21Saturday, September 11, 2010
![Page 22: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/22.jpg)
Integration Status
• appsensor.jar ready to use w/ESAPI
• AppSensor developer guide availablehttp://www.owasp.org/index.php/AppSensor_Developer_Guide
• AppSensor + ESAPI bundle planned for ESAPI 2.0 rc8
22Saturday, September 11, 2010
![Page 23: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/23.jpg)
ESAPI / AppSensor Adoption
• AppSensor
• ModSecurity
• Major Insurance Company - AppSensor standard for all new web apps
• Mozilla - AppSensor detection integrated into web apps
• ESAPI - American Express, Apache Foundation, Booz Allen Hamilton, Aspect Security, Foundstone(McAfee), The Hartford, Infinite Campus, Lockheed Martin, MITRE, Nationwide Insurance, U.S. Navy - SPAWAR, The World Bank, SANS Institute
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Home
23Saturday, September 11, 2010
![Page 24: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/24.jpg)
AppSensor.jar
• Drop-in support for ESAPI
• 3 Line configuration in ESAPI.properties
• Define policies in appsensor.properties
• Add detection points in code (2-3 lines each)
• Done!
24Saturday, September 11, 2010
![Page 25: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/25.jpg)
How Easy To Setup?
ESAPI.IntrusionDetector=org.owasp.appsensor.intrusiondetection.AppSensorIntrusionDetector
ESAPI.propertiesIntrusionDetector.X1.count=2IntrusionDetector.X1.interval=35IntrusionDetector.X1.actions=log,logout,disableComponentForUserIntrusionDetector.X1.disableComponentForUser.duration=30IntrusionDetector.X1.disableComponentForUser.timeScale=m
appsensor.properties
if (AttackDetected){new AppSensorException( “X1”,"User Error Message", "Logged Error Message" + "("+ request.getRequestURI()+ ")" + " user (" + ESAPI.authenticator().getCurrentUser().getAccountName() + ")");} code
25Saturday, September 11, 2010
![Page 26: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/26.jpg)
Detecting Attacks
• 50+ attack detection points and growing
• Grouped into logical areas
• Request, Auth, Input, Access etc
• Most have nearly zero false positive rate
• POST When Expecting GET
• Evading Presentation Access Control Through Custom POST
• Attempt to Invoke Unsupported HTTP Method
http://www.owasp.org/index.php/AppSensor_DetectionPoints
26Saturday, September 11, 2010
![Page 27: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/27.jpg)
Release of AppSensor-Tutorial
27Saturday, September 11, 2010
![Page 28: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/28.jpg)
AppSensor-Tutorial
http://code.google.com/p/appsensor/source/browse/#svn/trunk/AppSensor-Tutorial
28Saturday, September 11, 2010
![Page 29: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/29.jpg)
AppSensor-Tutorial
• Lesson Based Application
• Concise & Simple Demo of ESAPI & AppSensor Code
• Purely JSP w/Java libs
29Saturday, September 11, 2010
![Page 30: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/30.jpg)
Lesson Format
• Simple form with text input or drop down
• Malicious data checked by ESAPI or AppSensor
• Detection point listed with response actions / intrusion count
30Saturday, September 11, 2010
![Page 31: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/31.jpg)
Lesson 1: Validate w/ ESAPI
String dataResult = "";try { dataResult = ESAPI.httpUtilities()
.getParameter(request,"attackstring");} catch (ValidationException e){ //ESAPI Validation Exception
//Processed by AppSensor // Automatically
}
Validator.HTTPParameterName=^[a-zA-Z0-9_]{0,32}$
Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$
lesson1.jsp
ESAPI.properties
IntrusionDetector.Total.count=3
IntrusionDetector.Total.interval=30
IntrusionDetector.Total.actions=logout
appsensor.properties31Saturday, September 11, 2010
![Page 32: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/32.jpg)
Lesson 2Validate w/ AppSensor
• Use AppSensor AttackDetectorUtils.verifyXSSAttack
• Customizable black list approach (regex)
• Catch obvious XSS probes
• alert(document.cookie)
• <img src=.*script
• <iframe>.*</iframe>
32Saturday, September 11, 2010
![Page 33: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/33.jpg)
Lesson 2 - The Code
dataResult = request.getParameter("attackstring");
boolean attackDetected = org.owasp.appsensor.AttackDetectorUtils.verifyXSSAttack(dataResult);
if (attackDetected) {dataResult = "Exception Caught By ESAPI Validation";new AppSensorException(
appsensorID,"Invalid Input per AppSensor Detection", "Attacker is sending input that violates defined whitelists" + "("+ request.getRequestURI()+ ")" + " user (" + ESAPI.authenticator().getCurrentUser().getAccountName() + ")");
dataResult = "removed";} lesson2.jsp
33Saturday, September 11, 2010
![Page 34: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/34.jpg)
Lesson 2appsensor.properties
• Define regex black list of xss patterns
• Black list ok for attack detection
• Define response thresholds as normal
xss.attack.patterns=\"><script>,script.*document\\.cookie,<script>,<IMG.*SRC.*=.*script,<iframe>.*</iframe>
...IntrusionDetector.IE1.count=3IntrusionDetector.IE1.interval=30IntrusionDetector.IE1.actions=log,logout
appsensor.properties
34Saturday, September 11, 2010
![Page 35: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/35.jpg)
lesson 3Per User Page Blocking• Disable user’s access to
the page
• Good solution for sensitive operations - transfer funds, update address
• Just affects malicious user
• Simple with AppSensor
35Saturday, September 11, 2010
![Page 36: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/36.jpg)
lesson 3 - The Code
ASUser user = APPSENSOR.asUtilities().getCurrentUser();
boolean isActive = AppSensorServiceController.isServiceActiveForSpecificUser(request.getRequestURI(),user);
if (!(isActive)){ %>This page has been disabled<%}else{//display normal page
lesson3.jsp
36Saturday, September 11, 2010
![Page 37: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/37.jpg)
Lesson 3appsensor.properties
• Define normal thresholds
• Define how long page is disabled for user (30 minutes)
IntrusionDetector.IE12.count=2IntrusionDetector.IE12.interval=35IntrusionDetector.IE12.actions=disableComponentForUserIntrusionDetector.IE12.disableComponentForUser.duration=30IntrusionDetector.IE12.disableComponentForUser.timeScale=m
appsensor.properties
37Saturday, September 11, 2010
![Page 38: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/38.jpg)
Lesson 4 Full Feature Blocking
• Block access to all users
• Possible for critical pages
• Better to shutoff page and investigate than
38Saturday, September 11, 2010
![Page 39: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/39.jpg)
lesson 4 - The Code
boolean isActiveForEveryone = AppSensorServiceController.isServiceActive(request.getRequestURI());
if (!(isActiveForEveryone)){ %>Page has been disabled for everyone<%} lesson4.jsp
IntrusionDetector.IE12.actions=disableComponentIntrusionDetector.IE12.disableComponent.duration=10
appsensor.properties39Saturday, September 11, 2010
![Page 40: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/40.jpg)
Additional Response Capabilities
http://www.owasp.org/index.php/File:Owasp-appsensor-responses.pdf
40Saturday, September 11, 2010
![Page 41: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/41.jpg)
Additional Response Capabilities
41Saturday, September 11, 2010
![Page 42: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/42.jpg)
AppSensor @ Mozilla
42Saturday, September 11, 2010
![Page 43: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/43.jpg)
Mozilla Threat Profile
• Lots of users
• Many web apps
• Apps constantly growing & changing
• All code open source
43Saturday, September 11, 2010
![Page 44: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/44.jpg)
Mozilla Services
• Firefox Sync
• Millions of users
• Service based app
• Stores encrypted user data
• Example detection points
• Credential mismatch within URL request
• Tampering with reset code
• Account delete attempt without password
44Saturday, September 11, 2010
![Page 45: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/45.jpg)
What to Capture• Threat model attack scenarios
• Access Control Failures
• Account lockouts
• Failed CAPTCHA
• Monitor trends of interesting events
• New privileged account created
• Password reset requested
• Account creations
• Sensitive bug access
• New attachment
45Saturday, September 11, 2010
![Page 46: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/46.jpg)
SIM Deployment
46Saturday, September 11, 2010
![Page 47: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/47.jpg)
Common Event Format (CEF)
• Emerging standard on logging format
• Easily parsed by security integration manager (sim)
• Enables AppSensor Logging
CEF:0|Mozilla|MozFooApp|1.0 |ACE0|Access Control Violation|8|rt=01 31 2010 18:30:01 suser=janedoe suid=55 act=Action Denied src=1.2.3.4 dst=2.3.4.5 requestMethod=POST request=http://foo.mozilla.org/foo/abc.php?a\=b cs1Label=requestClientApplication cs1=Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 msg=Additional Data here
47Saturday, September 11, 2010
![Page 48: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/48.jpg)
Detection Point w/CEF
if (!$authdb->authenticate_user(fix_utf8_encoding($auth_pw))) ! ! { ! ! ! if ($cef) ! ! ! { ! ! ! ! $message = new CommonEventFormatMessage(
WEAVE_CEF_AUTH_FAILURE, 'User Authentication Failed', 3, ! ! !array('username' => $url_user, 'requestip' => get_source_ip()));
! ! ! ! $cef->logMessage($message);! ! ! }! ! ! report_problem('Authentication failed', '401');}
http://hg.mozilla.org/services/
48Saturday, September 11, 2010
![Page 49: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/49.jpg)
Data Analysis
49Saturday, September 11, 2010
![Page 50: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/50.jpg)
Trend Analysis
50Saturday, September 11, 2010
![Page 51: Real Time Application Defenses - The Reality of AppSensor & ESAPI](https://reader038.vdocuments.mx/reader038/viewer/2022102721/54970745b4795946378b45d4/html5/thumbnails/51.jpg)
AppSensor - More Info
http://michael-coates.blogspot.com
@_mwc
http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project
http://code.google.com/p/appsensor/
51Saturday, September 11, 2010