Thursday, February 3, 2011

Attack Aware Applications

(cross post with

We are working hard to advance the security of Mozilla web applications. This includes efforts such as threat modelling, security training, security throughout development, code review, testing, the bounty program, and more. In addition to secure development, we are also working to make our applications “attack aware”.

The idea behind an “attack aware” application is that the application is able to identify abnormal user actions that are not due to user errors, such as typos, and are instead the result of deliberate attacks against the application. The goal is to detect a malicious user probing for application weaknesses and disable their ability to cause damage to the system.

An “attack aware” application uses a blacklist style detection of a potential attack. It is important to realize that this is not intended to be a substitute for secure design principles. Instead, it is an additional detection capability layered on top of a securely designed application. Think of a bank that has been built securely and then installs an alarm system to detect attempted attacks.

The value of “attack aware” applications is in the correct selection of detection points that minimize false positives and effectively detects malicious activity. For example, detecting a single tick (‘) within a text field (which could be used for SQL injection testing) is a bad detection point since there will be many false positives with legitimate uses of that character (e.g. the name O’malley, or just typos).

An example of a good attack detection point is detecting malicious values within password reset token URLs (e.g. ‘ OR 1=1;–). There is no reason a user would accidentally modify the URL to include a potential SQL injection attack. Therefore false positive rates are low and the likelihood of the user purposively attacking the application is high. This is only one example of the detection points we are using. The OWASP AppSensor research project provides numerous detection points and covers this topic in much more detail.

The next question is what should be done after an attack is detected? Currently we are monitoring attack reports from our attack aware applications. This data is all fed into a security integration manager that allows us to monitor trends and investigate individual attack reports. We are moving towards building a system that will enable us to selectively block the offending user from the application to prevent further attacks.

What about the bounty program? These additional defenses are slowly being rolled into our systems and we don’t expect any impact on the bounty program in the near future. However, when the time arrives one possible solution is to provide a mirror environment of bug bounty sites for security testing and enable the primary application with the attack aware capabilities and response options.

Please direct comments to the mozilla blog post

-Michael Coates - @_mwc