Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Web App Traps (custom IDS)

Re: Web App Traps (custom IDS)

From: Jason <security_at_brvenik.com>
Date: Mon, 09 Jan 2006 13:48:40 -0500

All of these methods are easily implemented using existing IDS systems
like Snort. This is often referred to as a honeytoken and is trivial to
implement. You can take it further when operating inline by changing
values of a packet as they traverse the wire.

The obvious benefit is that it requires minimal code change on the
application side, can be completely transparent to the admin and user,
and is extremely flexible in implementation.

Damhuis Anton wrote:
> Hi Meder
>
> Read your article, and although quite interesting, I don't think it
> would work (for me).
>
> One thing it would be difficult to add time to a project just to allow
> non functional code into the code base. Non functional meaning as far as
> the customer is concerned. Further a new developer on the application
> might spend days looking at what one of the WATs does, wasting time, and
> maybe even remove it (which is not what the intension is).
>
> What would be a better solution is to encrypt all the GETS and POSTS (as
> well as Cookie) values. Encrypt them with a Checksum value.
>
> There is a *flaw* in implementing sequencial number encryption, whereby
> altering some
> Encrypted value, normaly produces a valid unencrypted number value. In
> my solution, if a value get decrypted to an incorrect format (this is
> where the Checksum comes in) it emails the user name and info to the
> support personal.
>
> I have implemented this type of solution on a web site before, and
> worked quite well. However since the web site was ASP, and the
> encryption work in VB Script, there is a very slight performance hit on
> the encryption and decryption of these values.
>
> If you would like more info, please let me know. I will share what I
> can.
>
> Regards
> Anton
>
> -----Original Message-----
> From: Meder Kydyraliev [mailto:meder_at_o0o.nu]
> Sent: 08 January 2006 07:29 AM
> To: webappsec_at_securityfocus.com
> Subject: Web App Traps (custom IDS)
>
> Hi,
>
> I've done a small writeup on web application traps. Full version is
> here: http://o0o.nu/~meder/wats.txt
>
> Confidentiality Warning
> =======================
>
> The contents of this e-mail and any accompanying documentation
> are confidential and any use thereof, in what ever form, by anyone
> other than the addressee is strictly prohibited.
>
> -------------------------------------------------------------------------------
> Watchfire's AppScan is the industry's first and leading web application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. See for yourself.
> Download AppScan 6.0 today.
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
> -------------------------------------------------------------------------------
>
>

-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------
Received on Jan 09 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]