WebApp Sec mailing list archives
RE: Web App Traps (custom IDS)
From: "Damhuis Anton" <DamhuisA () aforbes co za>
Date: Mon, 9 Jan 2006 08:41:33 +0200
Hi Meder Read your article, and although quite interesting, I don't think it would work (for me). One thing it would be difficult to add time to a project just to allow non functional code into the code base. Non functional meaning as far as the customer is concerned. Further a new developer on the application might spend days looking at what one of the WATs does, wasting time, and maybe even remove it (which is not what the intension is). What would be a better solution is to encrypt all the GETS and POSTS (as well as Cookie) values. Encrypt them with a Checksum value. There is a *flaw* in implementing sequencial number encryption, whereby altering some Encrypted value, normaly produces a valid unencrypted number value. In my solution, if a value get decrypted to an incorrect format (this is where the Checksum comes in) it emails the user name and info to the support personal. I have implemented this type of solution on a web site before, and worked quite well. However since the web site was ASP, and the encryption work in VB Script, there is a very slight performance hit on the encryption and decryption of these values. If you would like more info, please let me know. I will share what I can. Regards Anton -----Original Message----- From: Meder Kydyraliev [mailto:meder () o0o nu] Sent: 08 January 2006 07:29 AM To: webappsec () securityfocus com Subject: Web App Traps (custom IDS) Hi, I've done a small writeup on web application traps. Full version is here: http://o0o.nu/~meder/wats.txt Confidentiality Warning ======================= The contents of this e-mail and any accompanying documentation are confidential and any use thereof, in what ever form, by anyone other than the addressee is strictly prohibited. ------------------------------------------------------------------------------- Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh -------------------------------------------------------------------------------
Current thread:
- Web App Traps (custom IDS) Meder Kydyraliev (Jan 08)
- <Possible follow-ups>
- RE: Web App Traps (custom IDS) Damhuis Anton (Jan 09)
- Re: Web App Traps (custom IDS) Meder Kydyraliev (Jan 09)
- Re: Web App Traps (custom IDS) Jason (Jan 09)