Re: Web App Traps (custom IDS)

[Jason <security () brvenik com>]

All of these methods are easily implemented using existing IDS systems
like Snort. This is often referred to as a honeytoken and is trivial to
implement. You can take it further when operating inline by changing
values of a packet as they traverse the wire.

The obvious benefit is that it requires minimal code change on the
application side, can be completely transparent to the admin and user,
and is extremely flexible in implementation.

Damhuis Anton wrote:
> Hi Meder
>
> Read your article, and although quite interesting, I don't think it
> would work (for me).
>
> One thing it would be difficult to add time to a project just to allow
> non functional code into the code base. Non functional meaning as far as
> the customer is concerned. Further a new developer on the application
> might spend days looking at what one of the WATs does, wasting time, and
> maybe even remove it (which is not what the intension is).
>
> What would be a better solution is to encrypt all the GETS and POSTS (as
> well as Cookie) values. Encrypt them with a Checksum value.
>
> There is a *flaw* in implementing sequencial number encryption, whereby
> altering some
> Encrypted value, normaly produces a valid unencrypted number value. In
> my solution, if a value get decrypted to an incorrect format (this is
> where the Checksum comes in) it emails the user name and info to the
> support personal.
>
> I have implemented this type of solution on a web site before, and
> worked quite well. However since the web site was ASP, and the
> encryption work in VB Script, there is a very slight performance hit on
> the encryption and decryption of these values.
>
> If you would like more info, please let me know. I will share what I
> can.
>
> Regards
>   Anton
>
> -----Original Message-----
> From: Meder Kydyraliev [mailto:meder () o0o nu]
> Sent: 08 January 2006 07:29 AM
> To: webappsec () securityfocus com
> Subject: Web App Traps (custom IDS)
>
> Hi,
>
> I've done a small writeup on web application traps. Full version is
> here: http://o0o.nu/~meder/wats.txt
>
> Confidentiality Warning
> =======================
>
> The contents of this e-mail and any accompanying documentation
> are confidential and any use thereof, in what ever form, by anyone
> other than the addressee is strictly prohibited.
>
> -------------------------------------------------------------------------------
> Watchfire's AppScan is the industry's first and leading web application 
> security testing suite, and the only solution to provide comprehensive 
> remediation tasks at every level of the application. See for yourself. 
> Download AppScan 6.0 today.
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
> -------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------