1) The document discusses securing web applications by focusing on business logic security rather than just the OWASP top 10. It presents an approach to monitor business logic functions and define rules to detect attacks.
2) The approach involves instrumenting business logic functions to generate event data, processing that event stream to analyze metrics like call volumes and user flows, and defining responses like locking accounts if unusual activity is detected.
3) A case study is presented on how this approach could have detected and responded to the recent Facebook hack by monitoring functions related to user impersonation and token generation and locking affected user accounts.
25. Retrieve all the
context you need
• Authenticated user
• Custom business information
• Custom code / framework information
• Any HTTP value
• Previous service called
• Spanning information
28. Analyze
• The volume of calls
• The successive actions performed by a
given user (or IP)
• Detect unusual activity
• Anomalies in volume, proportions
• Check logic flows
29. • Deny access to sensitive
functions
• Deny access to a whole
service
• Set account “read only”
• Lock a user account
• Log a user out
• Trigger a pager
• Fire a webhook
• Create a ticket
• …
Respond
32. How to solve it
Record business logic
actions (down to the code)
Define rules to detect a
vulnerability exploitation
Trigger security responses
to be applied
(a)Impersonate a user
(b) Generate a token
User is calling (impersonation) too much OR
user is calling (generate_token) too much
Lock the user AND
Tag the user for review