WebApp Sec mailing list archives
Re: Web App Traps (custom IDS)
From: Meder Kydyraliev <meder () o0o nu>
Date: Mon, 9 Jan 2006 20:34:19 +0800
Hi Anton, Thanks for the feedback. Comments inline. On Mon, Jan 09, 2006 at 08:41:33AM +0200, Damhuis Anton wrote:
Hi Meder Read your article, and although quite interesting, I don't think it would work (for me). One thing it would be difficult to add time to a project just to allow non functional code into the code base. Non functional meaning as far as the customer is concerned. Further a new developer on the application might spend days looking at what one of the WATs does, wasting time, and maybe even remove it (which is not what the intension is).
non-functional code: well it really depends, in some cases built-in intrusion detection could actually be used as a selling point. As for inhouse apps, WATs can be considered taking IDS a bit further. wasting time: clear documenting of WATs will solve the problem easily.
What would be a better solution is to encrypt all the GETS and POSTS (as well as Cookie) values. Encrypt them with a Checksum value. There is a *flaw* in implementing sequencial number encryption, whereby altering some Encrypted value, normaly produces a valid unencrypted number value. In my solution, if a value get decrypted to an incorrect format (this is where the Checksum comes in) it emails the user name and info to the support personal.
Sounds like a WAT to me :)
I have implemented this type of solution on a web site before, and worked quite well. However since the web site was ASP, and the encryption work in VB Script, there is a very slight performance hit on the encryption and decryption of these values. If you would like more info, please let me know. I will share what I can. Regards Anton -----Original Message----- From: Meder Kydyraliev [mailto:meder () o0o nu] Sent: 08 January 2006 07:29 AM To: webappsec () securityfocus com Subject: Web App Traps (custom IDS) Hi, I've done a small writeup on web application traps. Full version is here: http://o0o.nu/~meder/wats.txt Confidentiality Warning ======================= The contents of this e-mail and any accompanying documentation are confidential and any use thereof, in what ever form, by anyone other than the addressee is strictly prohibited. ------------------------------------------------------------------------------- Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh -------------------------------------------------------------------------------
-- http://o0o.nu/~meder ------------------------------------------------------------------------------- Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh -------------------------------------------------------------------------------
Current thread:
- Web App Traps (custom IDS) Meder Kydyraliev (Jan 08)
- <Possible follow-ups>
- RE: Web App Traps (custom IDS) Damhuis Anton (Jan 09)
- Re: Web App Traps (custom IDS) Meder Kydyraliev (Jan 09)
- Re: Web App Traps (custom IDS) Jason (Jan 09)