Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Attacker Profile Page
You can click on an attacker's given name to navigate to that Attacker's Profile page.
Figure 103: Attacker Profile
The Attacker Profile page displays any information that pertains to a particular attacker. At the top of the page you will see the Attacker Card, which contains a short overview of the profile. This card contains the attacker's assigned name, last IP used, the first and last date the attacker was active, and the Public ID of the attacker, for use with the Support Processor in unblocking that profile. On the right side of the card there is a threat gauge that indicates the current threat of that attacker, where green, yellow, and red indicate low, medium, and high threat, respectively. The severity icons are displayed as follows:
- (n/a): 0.0 - None
- : 1.0 - Suspicious
- : 2.0 - Low
- : 3.0 - Medium
- : 4.0 - High
Available on the right side of the Attacker Profile page is a quick Actions box, where you can rapidly perform various profile-related functions such as blocking the attacker, warning the user, editing the profile, and deleting the profile.
 | Note: Deleting the profile will essentially erase all information gathered on that attacker, and will effectively remove all blocks or other responses on that profile. Underneath the attacker card and quick actions box is a series of tabs, where all of the attacker's specific activity information resides. The Incidents tab contains a list of all incidents triggered by that attacker. The Incident name, complexity, count, first and last time triggered are all available for each item in the list. Additionally you can click the Details icon (the eye) to view more information about any particular incident. |
Responses tab– The Responses tab contains information relating to all of the active and inactive responses issued to that attacker. Each entry contains the actual name of the response issued, the configuration (if any) used when issuing the response, the time the response was created, the delay set (if any), the duration of the response, and the time the response was finally deactivated (if it has been deactivated).
If the response is active, you can click the Deactivate Response icon (the stop sign under Actions) to deactivate the response instantly. Alternatively, you can click the Deactivate Selected button or to deactivate all responses, click the Deactivate All button
Figure 104: Responses tab - Deactivate
It is in this tab that you can manually activate Counter Responses on the current attacker. The available counter responses are:
- Block User To block the user from accessing the protected application completely, you can activate the Block User counter response. The next time the attacker tries to visit any page on the application, they will see a configurable message indicating they have been blocked from accessing the content. If the Support Processor is enabled, they are also given their Public ID (also shown on the Attacker Profile page for that profile) that they can give to support if they feel the block was in error.
- Filter on SRX series For more information on
what this counter response does, see: SRX Series Integration. In jest,
it feeds a message to an SRX series device that can handle traffic
at the network level.
Note: This counter response can be activated without configuring an external network device, but it will not do anything. WebApp Secure requires a properly configured external device for this counter response to function properly.
- Break Authentication Hashes any incoming passwords when attempting to login, effectively thwarting brute-force attacks that have correct credentials. Even with the correct password, the login will be unsuccessful.
- Cloppy Activating this counter response will activate an animated paper clip that intimidates the user with configurable messages. For information on how to customize this response, see the Cloppy Processor in Processor Reference section.
- Force Captcha Validation The user will be prompted with a Captcha that has to be solved to continue using the website.
- Google Map The user will be shown a map of lawyers near their determined location. The search term fed into Google Maps can be configured, see the Google Map Processor in the Processor Reference section.
- Inject Header The suspected hackers requests will have a custom header injected into them, useful for tracking.
- Logout User Terminates any current user sessions for this profile on a site.
- Slow Connection The user's requests to the site will be delayed by a configurable window of milliseconds. This can frustrate the attacker and cause them to abandon their future attacks. This response can take a <config/> node with 'min' and 'max' parameters, for example; <config min=1000 max=5000 /> will slow the attackers requests by 1 to 5 seconds.
- Strip Inputs If you suspect the attacker's inputs shouldn't be trusted (such as those inputs submitted in forms on the site), you can choose to activate this response which will strip them from all incoming requests. This will also strip any query parameters from the request URL as well.
- Warn User The next request sent by the attacker will respond with a pop-up warning message that lets the attacker know he/she is being watched. The warning message can be configured, see the Warning Processor in the Processor Reference section.
Consecutive requests might be grouped together and are viewable through the Sessions tab. Each entry in this tab contains the Remote Address used during the session (the IP), the Browser and Operating System used during the session, the number of Requests made and Pages returned during that session, the number of Errors generated by the server in response to requests in that session, as well as the First and Last Active times. You can also click on the Details icon (the eye) to view more information about any particular session.
Locations tab–The Locations tab contains a list of all locations used by the attacker. For each location, you are able to see the Remote Address (IP) associated with that location, the City, Region, and Country associated with the location (if they can be found), and the First and Last Active times for the location. Depending on the location, you might also be able to load a map showing that location (if it can be determined) by clicking on the Map icon. You can also click on the Details icon (the eye) to view more information on any particular location, including all other attackers that were found to be using the same location, and other Incidents, Sessions, or Environments used in conjunction with that location. If WebApp Secure can determine the attacker was using a specific Browser and Operating System combination, an entry in the Environments tab will be added. Each entry contains the Browser and Operating System used, along with the full User Agent string and First and Last active dates. If you want to find other attackers that used the same Environment, click on the magnifying glass icon. This will bring you to a page where you can see other Attackers that used this Environment, Incidents produced with this Environment, Sessions found that were using this Environment, and Locations that used this Environment.
