tags:

views:

85

answers:

3
+6  Q: 

Detecting suspicious behaviour in a web application - what to look for?

I would like to ask the proactive (or paranoid;) among us: What are you looking for, and how?

I'm thinking mainly about things that can be watched for programaticaly, rather than manually inspecting logs.

For example:

  • Manual/automated hack attempts
  • Data skimming
  • Bot registrations (that have evaded captcha etc.)
  • Other unwanted behaviour

Just wondering what most people would consider practical and effective..

EDIT: Preventative stuff (like user input sanitation) is of course crucial, but in the case of this question I'm more interested in detecting a potential threat. In this case I'm interested in the Burglar alarm, rather than the locks, if you like ;)

EDIT2: An example of the kind of thing I'm talking about exists here on SO. If you make too many modifications to a question in a short period of time, it brings up a captcha to make sure you're not a bot.

+3  A: 

Three pointers for you:

  1. Sanitize user input
  2. Sanitize user input
  3. Sanitize user input

Remeber it, and remember it good.

LukeN  2010-05-08 17:26:58
Repetition breeds reinforcement... repetition breeds reinforcement... repetition breeds reinforcement... (+1)
Platinum Azure  2010-05-08 17:27:36
You see, that's one of the most common, most destructive and easiest thing to forget!
LukeN  2010-05-08 17:29:47
Yeah :) +1, But assuming that we believe we have done as much as we humanly can regarding user input, what would you do to make sure you were quickly alerted to a problem?
UpTheCreek  2010-05-08 17:30:25
The problem with bad data getting into the system is, when even the programmers couldn't take care about it getting in there, how should the program know it's bad or dangerous? When you can detect misbehavior, you can already block it in the first place.
LukeN  2010-05-08 17:32:49
Not all vulnerabilities are caused by not "Sanitizing user input". CSRF is a good example because it is so wide spread.
Rook  2010-05-08 17:43:26
@The Roook: Of course I can't generalize it, but I never said that user input is the ONLY source for problems, I'm just stressing this particular point because it's such a HUGE one! MySQL injections, cross site scripting vulnverabilities and many more are all related to it!
LukeN  2010-05-08 17:58:30
@Luke - But with behaviours it's not so simple, you can't simply always block activity, because it might be legitimate. But you might want to flag it as suspicious.
UpTheCreek  2010-05-09 06:28:59
+1  A: 

An application that looks for malicious http requests before the make it to the web application is called a Web Application Firewall. Most WAFs can be configured to send emails when attacks are detected, thus you have a "Burglar Alarm". WAFs are more useful to prevent attacks before they reach your web application, which is more like a brick wall that gets pissed off when you touch it.

Rook  2010-05-08 17:37:02
Thanks, but I was rather meaning detecting unusual behaviour in the application itself (which might be considered perfectly legitimate requests by the firewall). (e.g. most firewalls will not normally be able to help with detecting bot activity)
UpTheCreek  2010-05-09 06:25:47
@Sosh it entierly depends on the type of bot. A WAF will cause serious problems for vulnerability scanners like this: http://www.acunetix.com/
Rook  2010-05-09 06:30:06
+2  A: 

You could look at statistical anomalies. For example, keep a running average of the percentage of failed logins for each hour over the last day. If that percentage suddenly becomes, say, three times as large, you may be looking at a password breaking attempt.

There's no way to tell up front what the right parameters for such an algorithm would be. I'd say you start by making them overly sensitive, then tune them down until the number of false positives becomes acceptable.

Thomas  2010-05-08 17:56:50
Good Idea..... +1
UpTheCreek  2010-05-09 06:33:27

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security