Insufficient Attack Protection


Description

The application provides insufficient attack protection. Attackers can probe and attack the application without limits in order to find and exploit vulnerabilities. Without an effective way to detect and defend against manual and automated attacks, the application has an increased likelihood of being exploited.

Impact

Attack protection is a defense-in-depth strategy that limits the ability of attackers to discover and exploit vulnerabilities in the application. Attackers typically need time to probe, research, and test the security of an application in order to find a vulnerability. If the application is unable to detect and block malicious activity, attackers with sufficient time will have more success finding vulnerabilities. In addition, existing attacks may go undiscovered for longer periods of time and initial attacks be chained into other attacks dramatically raising the impact against the application.

 Custom Description

The following activities were not prevented by the application:

[Insert Activities]

Impact

Attack protection is a defense-in-depth strategy that limits the ability of attackers to discover and exploit vulnerabilities in the application. Attackers typically need time to probe, research, and test the security of an application in order to find a vulnerability. If the application is unable to detect and block malicious activity, attackers with sufficient time will have more success finding vulnerabilities. In addition, existing attacks may go undiscovered for longer periods of time and initial attacks be chained into other attacks dramatically raising the impact against the application.

Risk Rating 

Likelihood – High

Impact – Low

Overall Risk – Medium

Remediation

Implement proactive defenses to protect against manual and automated attacks. Technologies such as WAFs and RASP may be used to provide a layer of defense against common application-specific attacks.

Monitor and respond to activities that indicate a potential attack. Signs of an attack may include a high volume of requests within a short period of time, an unusual number of failed requests, unexpected user input, increased number of 4xx and 5xx types of HTTP status codes, or well-known attack strings.

If an potential attack is detected, take proactive measures to prevent further activity. This may include terminating the session, canceling any processes, and redirecting to an error page. More aggresive actions may include locking the account and blocking an IP address.

Use logging and monitoring of important events to help identify and respond to attacks as they happen. Utilizing SIEM solutions can provide near real-time correlation against logs and other data sets in order to identify potential attacks. When malicious activities are detected, initiate workflows to notify the proper individuals and trigger the appropriate actions.

How to Test

Conduct manual and automated attacks against the application in order to trigger anti-attack measures:

  • Spider the application.
  • Run an automated scanner such as Burp Active Scan
  • Brute force account logins.
  • Inject malicious strings for SQL Injection and XSS

Determine if the application takes any defensive measures such as:

  • Terminating the session
  • Redirecting to an error page
  • Locking the account
  • Notifying an administrator

Sample Report Screenshots

Automated attack not prevented by application

Time Saving Tips

A quick brute force on the login page should give you some indication of whether attack protection is in place.

Gotchas

If attack protection is on during the application pentest, you may not be able to find actual vulnerabilities that exist in the application. If an attacker is able to bypass attack protection or if it is disabled at some point, the application may be left unprotected. We recommend confirming the attack protection is in place and then having it turned off for the remainder of the test.

References

OWASP – https://www.owasp.org/index.php/Top_10_2017-A7-Insufficient_Attack_Protection

CWE 778 – http://cwe.mitre.org/data/definitions/778.html

Discussion

Have a thought or question? Leave a comment below.

 

Want access to the full AppSec Findings Database? Click here to subscribe today.

Leave a Reply