Geek Answers Handbook

Detecting suspicious behavior in a web application - what to look for?

I would like to ask us proactive (or paranoid;): what are you looking for and how?

I think mainly about things that can be observed programmatically, rather than manually checking the logs.

For example:

  • Manual / automatic hacking attempts.
  • Data capture.
  • Bot registrations (which evaded captcha, etc.).
  • Other unwanted behavior.

Just wondering what most people find practical and effective.

Preventive material (such as sanitation for users) is, of course, crucial, but if this is the case, I’m more interested in detecting a potential threat. In this case, I'm interested in Burglar alarm, not blocking.

An example of what I'm talking about exists here on SO. If you make too many changes to the question in a short period of time, it causes captcha to make sure that you are not a bot.

+6
security web-applications bots
source share
4 answers

Three pointers for you:

  • Sanitize user input
  • Sanitize user input
  • Sanitize user input

Remember this and remember that it’s good.

+3
source share

You can see statistical anomalies. For example, keep the average percentage of failed logins per hour for the last day. If this percentage suddenly becomes, say, three times as large, you can look at an attempt to crack the password.

It is impossible to talk about what the correct parameters for such an algorithm will be. I would say that you start by making them overly sensitive, and then adjust them until the number of false positives is acceptable.

+2
source share

An application that searches for malicious HTTP requests before it is created in a web application is called a web application firewall . Most WAFs can be configured to send email when an attack is detected, so you have a “hack alarm”. WAFs are more useful for preventing attacks before they reach your web application, which is more like a brick wall that gets angry when you touch it.

+1
source share

The best way to find out if you will see problems with your application is to be proactive in identifying problems yourself. Start with a threat model first. Threat models are critical to finding potential problems before attackers.

Here are the steps that I would like to take to understand the situation with the threats of the application: - First, identify all the processes in your application (for example, authentication, transaction processing, etc.). - Secondly, data flow is the highest and most critical process. For me, data flow diagrams are the biggest help in visual observation, where potential attacks can come from. - Thirdly, analyze your processes. For this, I recommend a tool similar to Microsoft's Modeling Threat tool. This is good, forcing you to look at all possible attacks. - Fourth, we’ll draw up a plan to correct what you find.

This process is incredibly useful because those who develop applications know how to find flaws better than attackers.

0
source share

More articles:


All Articles