If anything makes web applications security different, and more interesting, than traditional information security, those are threats to the application logic, i.e. attacks that abuse legitimate functionality. Such attacks often raise legal and ethical questions: if this is legitimate functionality, can it be an attack? Ethical questions a side, there is no question that click fraud, scraping and comment spam cause real pain and financial damage to web site owners.
The new OWASP automated threat handbook tries to sort out this field and define an ontology for web automation attacks and for countermeasures.
My own presentation on the topic takes a different approach: there is no real dividing line between valid and malicious automation. It is a continuum. I scored each such automation technique for “obviousness”, i.e. how clear it would be that this is automated and not and for maliciousness. Based on the scores I split the techniques into obviously malicious, accepted and borderline. So for example, given a 1-5 scale (1 being not obvious/not malicious, 5 being obvious/malicious):
- “Auction sniping” gets 2 for obviousness and 3 for maliciousness – which makes it borderline.
- “Web spam” 3 for obviousness and 4 for maliciousness – the extra points puts it in the malicious category.
- At the edges, Blind SQL injection gets 5 and 5 (so it is extra malicious) while comparative shopping gets 1 for maliciousness as it became a standard in the industry. Which does not imply the “attacked” web site is not negatively impacted.
Read the presentation to get the scored for all of them and learn what “Queue Jumping”, “auction sniping” and “web spam” are!
Pingback: Anatomy of a SIEM use case: the brute force example | InfoSec aXioms