{"id":41,"date":"2011-02-02T11:33:43","date_gmt":"2011-02-02T19:33:43","guid":{"rendered":"http:\/\/blog.mozilla.org\/webappsec\/?p=41"},"modified":"2011-02-02T11:33:43","modified_gmt":"2011-02-02T19:33:43","slug":"attack-aware-applications","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/","title":{"rendered":"Attack Aware Applications"},"content":{"rendered":"<p>We are working hard to advance the security of Mozilla web applications.\u00a0 This includes efforts such as threat modelling, security training, security throughout development, code review, testing, the bounty program, and more. In addition to secure development, we are also working to make our applications \u201cattack aware\u201d.<\/p>\n<p>The idea behind an \u201cattack aware\u201d application is that the application is able to identify abnormal user actions that are not due to user errors, such as typos, and are instead the result of deliberate attacks against the application.\u00a0 The goal is to detect a malicious user probing for application weaknesses and disable their ability to cause damage to the system.<\/p>\n<p>An \u201cattack aware\u201d application uses a blacklist style detection of a potential attack. It is important to realize that this is not intended to be a substitute for secure design principles. Instead, it is an additional detection capability layered on top of a securely designed application. Think of a bank that has been built securely and then installs an alarm system to detect attempted attacks.<\/p>\n<p>The value of \u201cattack aware\u201d applications is in the correct selection of detection points that minimize false positives and effectively detects malicious activity. For example, detecting a single tick (\u2018) within a text field (which could be used for SQL injection testing) is a bad detection point since there will be many false positives with legitimate uses of that character (e.g. the name O\u2019malley, or just typos).<\/p>\n<p>An example of a good attack detection point is detecting malicious values within password reset token URLs (e.g. site.com\/resetToken?k=abc &#8216; OR 1=1;&#8211;). There is no reason a user would accidentally modify the URL to include a potential SQL injection attack. Therefore false positive rates are low and the likelihood of the user purposively attacking the application is high. This is only one example of the detection points we are using. The <a title=\"OWASP AppSensor\" href=\"http:\/\/www.owasp.org\/index.php\/OWASP_AppSensor_Project\" target=\"_blank\">OWASP AppSensor<\/a> research project provides numerous detection points and covers this topic in much more detail.<\/p>\n<p>The next question is what should be done after an attack is detected? Currently we are monitoring attack reports from our attack aware applications. This data is all fed into a security integration manager that allows us to monitor trends and investigate individual attack reports.\u00a0 We are moving towards building a system that will enable us to selectively block the offending user from the application to prevent further attacks.<\/p>\n<p>What about the <a href=\"http:\/\/www.mozilla.org\/security\/bug-bounty.html\" target=\"_blank\">bounty program<\/a>? These additional defenses are slowly being rolled into our systems and we don\u2019t expect any impact on the bounty program in the near future. However, when the time arrives one possible solution is to provide a mirror environment of bug bounty sites for security testing and enable the primary application with the attack aware capabilities and response options.<\/p>\n<p>Michael Coates<br \/>\nWeb Security Nomad<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We are working hard to advance the security of Mozilla web applications.\u00a0 This includes efforts such as threat modelling, security training, security throughout development, code review, testing, the bounty program, &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/\">Read more<\/a><\/p>\n","protected":false},"author":1438,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[121],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Attack Aware Applications - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"mozilla\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/\",\"name\":\"Attack Aware Applications - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2011-02-02T19:33:43+00:00\",\"dateModified\":\"2011-02-02T19:33:43+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Attack Aware Applications\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\",\"name\":\"mozilla\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"caption\":\"mozilla\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Attack Aware Applications - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/","twitter_misc":{"Written by":"mozilla","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/","url":"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/","name":"Attack Aware Applications - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2011-02-02T19:33:43+00:00","dateModified":"2011-02-02T19:33:43+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2011\/02\/02\/attack-aware-applications\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Attack Aware Applications"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9","name":"mozilla","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc","url":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","caption":"mozilla"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/41"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1438"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=41"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/41\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=41"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=41"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=41"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=41"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}