Tuesday, June 30, 2009

Detecting Attacks in HTTP Requests

An application IPS can inspect HTTP requests to detect suspicious activities being performed by a potential attacker. Many IDS/IPS systems will look for a large number of predefined attacks in the URL, but that's not what we are talking about here. Instead, let's get more specific and minimize those false positives down to nearly zero. If our detection point fires we want to be assured that we have an attacker on our hands.

Here are a few strategies when looking at the HTTP requests.

1. [RE1] Unexpected HTTP Commands
The application is likely designed to support GET and POST. If a concise list of allowed HTTP commands can be created, then any other command is a malicious action by the user. The false positive rate is low because a user would need to explicitly craft a custom HTTP request with a non-supported or non-existent HTTP Command.

2. [RE2] Unexpected HTTP Headers
Define a list of standard HTTP headers and custom headers set by the application (if any). If any other headers are received, then the user is searching for potential attack vectors.

3. [RE3] GET When Expecting POST
Within the application particular portions will only be expecting GET requests. Instead of simply mapping GETs to be handled as a POST, treat this as an attack instead. A user that is converting POST messages to GET statements may be trying to weaponize a vulnerability or craft a malicious link.

4. [RE4] POST When Expecting GET
Similar to item 3, if a user submits a POST to the application for a page that only expects GETs, then the application should record this as an attack. This may be an attempt to bypass security controls or filtering which only applies to GET statements.

5. [RE5] Unexpected Quantity of HTTP Headers
Similar to item 2, a HTTP request with a large number of HTTP headers may be an attempt by the sender to create a DOS or force the application to behave in an unexpected manner. Determine the maximum number of expected headers and set a reasonable threshold.


The above detection techniques are not possible with a standard application IPS or WAF that sits outside of the application. Instead a tight coupling is needed with the application itself. Read more about next generation IPS.


--
More information on:
Next Generation IPS
Blog author Michael Coates
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)