14

I am currently trying to implement some recommendations from OWASP AppSensor Project and I'd like to respond to the attacker when he tries to break into my website.

Is there any resource covering/analyzing specific attack vectors? With specific I mean something like list of rules: when user tries to write ' character into username field, it's definitely an attack attempt (which is not, but ' or 'x'=x' probably is).

My main goal is to effectively log and respond to attack attempts and avoid false positives as much as possible (it should never happen that the system bans legal user). We are talking here probably mainly about SQL injection, XSS and maybe Request threshold (something like 50 requests in 1 seconds is suspicious - is it really?). If you think I should respond to another type of action too, feel free to suggest it and write a reason why should I focus on this type of action.

kalina
  • 3,354
  • 5
  • 20
  • 36
bretik
  • 1,840
  • 13
  • 22
  • 2
    You mentioned OWASP, but not their [Web Application Firewall](http://www.owasp.org/index.php/Web_Application_Firewall). Is there anything you'd like to do that isn't handled by the WAFs listed on that page? – user502 Dec 09 '10 at 18:42
  • The application I am developing is written in ASP.NET and I don't want to invest in the commercial solution, this narrows down the list to only one product mentioned on that wiki site and that is "AQTronix - WebKnight", my website will probably run on shared hosting, which eliminates even this product. So we could state that I am trying to develop my own WAF. Great comment however - didn't know about WebKnight before. – bretik Dec 09 '10 at 19:28

2 Answers2

7

Robust web application in the means of valid filtration/sanitization is enough in most cases. Problem you are trying to solve is very hard to satisfy. I am repeating again and again - do not reinvent the wheel, because there are high chances that you will just waste time with no effect on security. For example, look how PHP-IDS is written, how it works, which rules it contains. Also, what would you say about these SQL-injection evasion techniques: http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/ - how would you handle them? Or about XSS - http://heideri.ch/jso/. As you might see, more attacks you want to cover - more chances to get false positive.

I am not saying it is impossible and not worth tinkering, but further we go, clearer we see that attacks becomes more and more complicated. First look whether your problem has not been solved previously and if it is really worth your attention.

  • +1 I totally agree with the "more attacks you want to cover - more chances to get false positive" part. Most of the so called hackers will try the basic checks and I want to stop them trying. I am aware of that it could not have any real effect for the real hackers. The aim of this basic "application firewall" is to ban the users, who are trying to annoy other users. – bretik Dec 09 '10 at 19:51
1

Basically you are writing a classifier.

If you really want to go this route, you should probably check out Bayesian spam filtering and Paul Graham's Essay, because it relates to deciding which inputs are malicious (spam) and which are valid users (ham). Tim Peter's explanation of Paul Graham's method is very readable.

I don't know about state of the art IDSes these days, but echoing Ams, you probably don't want to invent your own IDs, unless you are really interested in learning this area.

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36