Detecting suspicious behaviour in a web application - what to look for?

I would like to ask the proactive (or paranoid;) among us: What are you looking for, and how?

I'm thinking mainly about things that can be watched for programmatically, rather than manually inspecting logs.

For example:

• Manual/automated hack attempts.
• Data skimming.
• Bot registrations (that have evaded captcha etc.).
• Other unwanted behaviour.

Just wondering what most people would consider practical and effective.

Preventative stuff (like user input sanitation) is of course crucial, but in the case of this question I'm more interested in detecting a potential threa开发者_JAVA技巧t. In this case I'm interested in the Burglar alarm, rather than the locks.

An example of the kind of thing I'm talking about exists here on SO. If you make too many modifications to a question in a short period of time, it brings up a captcha to make sure you're not a bot.

Three pointers for you:

1. Sanitize user input
2. Sanitize user input
3. Sanitize user input

Remeber it, and remember it good.

An application that looks for malicious http requests before the make it to the web application is called a Web Application Firewall. Most WAFs can be configured to send emails when attacks are detected, thus you have a "Burglar Alarm". WAFs are more useful to prevent attacks before they reach your web application, which is more like a brick wall that gets pissed off when you touch it.

You could look at statistical anomalies. For example, keep a running average of the percentage of failed logins for each hour over the last day. If that percentage suddenly becomes, say, three times as large, you may be looking at a password breaking attempt.

There's no way to tell up front what the right parameters for such an algorithm would be. I'd say you start by making them overly sensitive, then tune them down until the number of false positives becomes acceptable.

The best way to know if you are going to see problems with your application is to be proactive about identifying the problems yourself. First start with a Threat Model. Threat Models are critical to finding the potential problems before the attackers do.

Here are the steps I would do to get an understanding of the application threat landscape: - First identify all of the processes in your application (i.e. authentication, transaction processing, etc.) - Second, data flow the highest and most critical processes. To me, data flow diagrams are the biggest help in visual seeing where the potential attacks would come from. - Third, analyze your processes. For this, I recommend a tool like the Threat Modeling tool from Microsoft. It's good at forcing you to look at all the possible attack vectors. - Fourth, put together a plan to fix what you find.

This process is incredibly helpful since those who develop the applications know about how to find the flaws better than do the attackers.