December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 12-5: Identifying a Significant Increase in Resource Usage
This recipe shows you how to identify when the user community accesses specific resources at a high rate.
Ingredients
- ModSecurity
- inicol action
- RESOURCE:UPDATE_RATE variable
- @gt operator
Sample Attack
Cross-Site Request Forgery (CSRF) Worm Attacks against Social Networking Sites
Social networking sites such as Facebook are ripe targets for attackers who want to propagate their spam links throughout the user base. A site such as Facebook is more attractive to spammers because it has a higher click rate of links because of the supposed “trusted source” nature of Facebook wall postings. If a friend posts that you should check out a link, there’s a good chance you will click it. What ends up happening most of the time is that the page you end up on contains CSRF code that issues a request back to Facebook to spread the spam link. It uses the victim user’s current session credentials to authorize the post and thus spread the link. These types of attacks are viral in their propagation and thus cause severe spikes in certain application function usage. By monitoring these types of application usage patterns, you can identify CSRF worms more quickly.
Identifying Resource Usage Spikes
We can leverage ModSecurity’s RESOURCE persistent storage capabilities to track access attempts to specific resources. Here is a sample initialization rule taken from the modsecurity_crs_40_appsensor_detection_point_2.0_setup.conf ...