Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Web App Traps (custom IDS)

Re: Web App Traps (custom IDS)

From: Meder Kydyraliev <meder_at_o0o.nu>
Date: Mon, 9 Jan 2006 20:34:19 +0800

Hi Anton,

Thanks for the feedback. Comments inline.

On Mon, Jan 09, 2006 at 08:41:33AM +0200, Damhuis Anton wrote:
>
> Hi Meder
>
> Read your article, and although quite interesting, I don't think it
> would work (for me).
>
> One thing it would be difficult to add time to a project just to allow
> non functional code into the code base. Non functional meaning as far as
> the customer is concerned. Further a new developer on the application
> might spend days looking at what one of the WATs does, wasting time, and
> maybe even remove it (which is not what the intension is).

non-functional code: well it really depends, in some cases built-in
intrusion detection could actually be used as a selling point. As for
inhouse apps, WATs can be considered taking IDS a bit further.

wasting time: clear documenting of WATs will solve the problem easily.

>
> What would be a better solution is to encrypt all the GETS and POSTS (as
> well as Cookie) values. Encrypt them with a Checksum value.
>
> There is a *flaw* in implementing sequencial number encryption, whereby
> altering some
> Encrypted value, normaly produces a valid unencrypted number value. In
> my solution, if a value get decrypted to an incorrect format (this is
> where the Checksum comes in) it emails the user name and info to the
> support personal.

Sounds like a WAT to me :)

>
> I have implemented this type of solution on a web site before, and
> worked quite well. However since the web site was ASP, and the
> encryption work in VB Script, there is a very slight performance hit on
> the encryption and decryption of these values.
>
> If you would like more info, please let me know. I will share what I
> can.
>
> Regards
> Anton
>
> -----Original Message-----
> From: Meder Kydyraliev [mailto:meder_at_o0o.nu]
> Sent: 08 January 2006 07:29 AM
> To: webappsec_at_securityfocus.com
> Subject: Web App Traps (custom IDS)
>
> Hi,
>
> I've done a small writeup on web application traps. Full version is
> here: http://o0o.nu/~meder/wats.txt
>
> Confidentiality Warning
> =======================
>
> The contents of this e-mail and any accompanying documentation
> are confidential and any use thereof, in what ever form, by anyone
> other than the addressee is strictly prohibited.
>
> -------------------------------------------------------------------------------
> Watchfire's AppScan is the industry's first and leading web application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. See for yourself.
> Download AppScan 6.0 today.
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
> ------------------------------------------------------------------------------- 

-- 
http://o0o.nu/~meder
-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------
Received on Jan 09 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]