OWASP has just released their release candidate of the Top 10 most critical web application security risks. While no major changes were included, i.e. Injection is still number one in the list, they added two new ones:
A7 – Insufficient Attack Protection
A10 – Under protected APIs
This blog discusses the first.
A7 – Insufficient Attack Protection
OWASP stated the reason for the addition as being:
For years, we’ve considered adding insufficient defenses against automated attacks. Based on the data call, we see that the majority of applications and APIs lack basic capabilities to detect, prevent, and respond to both manual and automated attacks. Application and API owners also need to be able to deploy patches quickly to protect against attacks.
An application must protect itself against attacks not just from invalid input, but also involved detecting and blocking attempts to exploit the security vulnerabilities. The application must try to detect and prevent them, log these attempts and respond to them.
What are some examples of attacks that should be handled?
Brute force attacks to guess user credentials
Flooding user’s email accounts using email forms in the application
Attempting to determined valid credit card numbers from stolen cards
Denial of service by flooding the application with many requests
XSS or SQL Injection attacks by automated tools
A more complete list can here found here but the ways in which they are handled are all very similar.
The first step is to prevent these types of attacks.
Consider using some built-in steps for preventing attacks to the application. This includes:
Remove or limit the values of the data accessed using the application; can it be changed, masked or removed?
Create use (abuse) cases that simulate automated web attacks.
Identify and restrict automated attacks by identifying automation techniques to determine is the requests are being made by a human or by an automated tool.
Make sure the user is authenticated and authorized to use the application.
Consider using CAPTCHA when high value functions are being performed.
Set limits on how many transaction can be performed over a specified time; consider doing this by user or groups of users, devices or IP address.
Consider the use of web application firewalls that detect these types of attacks. Another alternative is using OWASP AppSensor or similar; it is built into the application to detect these types of attacks.
Build conditions into your terms and conditions; require the user not to use automated tools when using the application.
Other items to consider to use include:
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
Data Loss Prevention
An application must determine if activity is an attack or just suspicious. The response must be appropriate based on which of these is true.
Could the user have made a mistake when entering the data?
Is the process being followed for the application or is the user trying to jump past steps in the process?
Does the user need a special tool or knowledge?
If any two of the above items are true, then it is most likely an attack and not suspicious activity.
Is it possible that the requests are coming in at a very high rate? A typical user may make one request every couple of seconds, whereas a tool such as Burp Suite Pro or WebInspect may make many more requests per second. The application should also detect these types of attack or attempts to find vulnerabilities in the application.
The application can handle detected attacks or even the suspicion of attacks in a variety of ways.
The first should be a warning to the user. This will deter a normal user that their activities are being monitored. It would also warn a malicious user that certain events are being monitored, though it will probably not deter the latter person.
The application could, based on further activity after the warning, either logout the user or lockout the user. If a logout is performed, automated tools can be programed to automatically re-authenticate the user. If lockout is chosen, then all activity will stop.
In any of the above cases, a legitimate user may end up calling the help desk, so the application must log this type of activity and notify the application’s administrators. The log must be reviewed to determine if the response was appropriate.
Choosing which action to perform would depend on the sensitivity of the data within the application. A public website must be more forgiving to prevent overreaction to suspicious activities; whereas an application with highly sensitive data must respond quickly to suspicious activity.
The OWASP Top 10 2017 A7 – Insufficient Attack Protection requires the application to prevent, detect, and respond to attacks. This could affect other regulations such as PCI, which base their standards on the OWASP Top 10.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.