Triggerfish: the security solution for your web app
Do you really know what’s going on with your web app?
Can you be sure no one is trying to attack your site?
Can you easily view and manage your application errors?
Are you sure you haven’t missed any security flaws?
Triggerfish detects and blocks attack attempts, finds security vulnerabilities, and collect application errors on your web app. It doesn’t just respond to obvious attack attempts, it can also detect if someone is behaving suspiciously. It’s like the monitoring system at a casino; your firewall is a security perimeter that keeps unauthorized entities out of the building. Triggerfish is a monitoring system that has an alert that goes off when it seems like someone is trying to cheat or manipulate the game. With Triggerfish, you can concentrate on your core business and entrust your web app security to us!
Triggerfish discovers attack attempts that are made against your web app. It’s designed to detect the majority of hacking techniques and can tell if users try to hide behind services that make them anonymous, such as TOR. With sophisticated browser fingerprint matching, Triggerfish is able to correlate anonymous and non-anonymous users, which helps to detect visitors with malicious intentions.
Companies often have strict processes to test the security of their web apps, but due to lack of time and knowledge, there is always the risk that security flaws will fall through to the customer’s production environment. This can be the security flaw an attacker exploits to take over your web app. Using Triggerfish as a passive, on-going penetration test, Triggerfish will detect these security flaws and alert you.
Application errors will occur in your web app sooner or later because of latent bugs or external services going down. Triggerfish collects all your unhandled application errors along with the context (e.g., message, stack trace, or HTTP request) required to understand them. It only presents you with one item per root problem by smart grouping, thereby giving you a helpful and actionable overview.
What does Triggerfish detect?
This is another one of the most common and serious hacking techniques used today. Also known as XSS, cross-site scripting enables attackers to inject client-side scripts that are then executed by other users. Attackers can use it to steal cookies (and thereby sessions and user accounts) or embed malicious code to attack your visitors’ computers.
This is the most common hacking technique used by attackers to steal data from companies and organizations. Roughly 60 percentages of all successful breaches involve SQL injections.
Attackers can take advantage of improper programming in your web app to inject SQL queries – for example, through a login form – to escalate privileges or get complete access to a database.
Companies often have strict processes to test the security of their web apps, but due to lack of time and knowledge, there is always the risk that security flaws will fall through to the customer’s production environment. This can be the security flaw an attacker exploits to take over your web app. Using Triggerfish as a passive, on-going penetration test, Triggerfish will detect these security flaws and alert you when needed.
A vulnerability scanner is a program or automated tool designed to scan web apps and look for security vulnerabilities. There are a number of different vulnerability scanners available today, and Triggerfish is designed to detect these tools before an attacker can exploit the vulnerabilities found.
Directory traversal is a technique attackers use to access restricted files without having authorization. If a directory traversal attempt is successful, the hacker can view restricted files and get configuration data, credentials, encryption keys, certificates, source code and even execute server-side commands.
Faked web browser
Attackers often fake legitimate behaviour to avoid detection. Faking a web browser is one way to do this, making it possible for a malicious script to look like a completely normal web browser and thereby lower suspicion. Triggerfish validates requests to see if they really are from the web browser they claim to be.
Blacklisted IP addresses
It is likely that an attacker has tried to attack other web apps before attacking yours. Triggerfish has a database of IP addresses that are known to belong to attackers and informs you if any of these target your web app.
Unhandled application errors
Application errors will occur in your web app sooner or later because of latent bugs or external services going down. Triggerfish collects all your unhandled applications errors together with the context (e.g., message, stack trace, or HTTP request) required to understand them. It only presents you with one item per root problem by smart grouping, thereby giving you a helpful and actionable overview.
Brute force attempts of login
Many repetitions of similar requests in a short period of time to a web app is often a good indicator that someone is trying to manipulate the site or attempting to carry out an attack. Brute force attempts to login can be a good example of this. Triggerfish will detect this type of behaviour and block the attacker from any further action.
Mass registration of accounts
Many repetitions of similar requests in a short period of time to a web app is often a good indicator that someone is trying to manipulate the site or attempting to carry out an attack. Registering new accounts can be a good example of this. Triggerfish will detect this type of behaviour and block the attacker from any further action.
Users carrying out an attack
Triggerfish will record the username, IP address, and web browser fingerprint involved in every attack attempt that is made, making it possible to get a good picture of the attacker’s activity to understand the intent of the attack and how the attack was executed.
When attackers perform an attack attempt, they often use anonymization services. There are a variety of anonymization services used, and Triggerfish will detect attackers’ addresses if they attempt to do this.
Multiple passes of encoding
Some applications encode and decode request parameters multiple times. Triggerfish checks for suspicious input at every level of encoding, thereby removing the threat of a common IDS evasion technique. While multiple encoding is harmless by itself, it is a common vector for vulnerabilities.
Rule evasion by control characters
It is common for an attacker to try to bypass security rules by sending control characters that interfere with the rules – for example, by sending null bytes or overlong UTF-8 encodings. This is a strong indication of an intrusion, and Triggerfish detects this type of behaviour.
- Cross-site Scripting
- SQL injection
- Security vulnerabilities
- Vulnerability scanners
- Directory traversal
- Faked web browser
- Blacklisted IP addresses
- Unhandled application errors
- Brute force attempts of login
- Mass registration of accounts
- Users carrying out an attack
- Anonymous users
- Multiple passes of encoding
- Control characters
Triggerfish blocks attacks and notifies you
when your site has been attacked
With the sophisticated blocking capabilities and notifications provided by Triggerfish, you won’t have to stay awake at night worrying about getting hacked. Focus on your core business and let Triggerfish block attack attempts and notify you when something suspicious happens.
With its blocking functionality, Triggerfish can stop attack attempts before reaching your web app. Triggerfish has the ability to block in three different ways: through IP addresses, requests, or by blocking a specific user. For example, Triggerfish can block brute force attempts and different types of scanning attempts. With sophisticated and advanced blocking techniques, Triggerfish knows the difference between normal and malicious behaviours, which prevents the blocking of normal user mistakes or legitimate traffic.
With its notifications, you don’t have to constantly monitor results. Triggerfish will not create more workload for our customers; you will be notified directly when something suspect happens on your web app. For example, Triggerfish can notify you when someone is trying to carry out a severe attack attempt, if new security flaws are detected, or if an abnormally high number of application errors are detected.
Easy customization for detecting abnormal traffic
Abnormal traffic to a web app is often a good indicator that someone is trying to manipulate the site or is attempting to carry out an attack, especially when someone is
completing many repetitions in a short period of time. Triggerfish will detect this behaviour, stopping attackers and automated attacks from reaching your web app. You
can easily customize Triggerfish to meet all the needs of your business and your web app.
With the customization options on Triggerfish, you can see if someone is logging in/out, submitting orders, or registering new accounts several times in a short period of time. It is also possible to add both notifications and blocking to this behaviour. The results are shown in a list through the Triggerfish reporting tool.
Triggerfish's reporting tool
Digifort has developed a comprehensive, easy-to-understand, and intuitive reporting tool that allows you to access the information detected by Triggerfish. The tool is divided into two parts, an executive part and a technical part, where it is possible to inspect and view the collected information in detail.
With our reporting tool, you can simply and easily:
- Trace detected attack attempts that have been stopped.
- View a list of detected vulnerabilities found on your web app.
- Get a list of abnormal traffic to your web app.
- Retrieve detailed information about application errors on your web app.
- Get detailed information about anonymous and blacklisted users
You can easily sort the data in various ways, such as by attack type, country of origin, IP address, application error, date and time interval, or activity by a specific user.
How Triggerfish works
Triggerfish is not a separate system in front of your server; it's a library you link into your web app. We call this new kind of solution:
"web app security as a library".
This design enables Triggerfish to collect application errors and attackers usernames as well register application events like logins, logouts, account registrations or orders. All web apps are different; that's why we have made it possible for our users to easily register their own events that are specific to their web app's needs and demands. Using Triggerfish’s public API you will easily catch deviations with your own custom rules.
Being behind – instead of in front of – your web app's HTTP layer also means that Triggerfish uses the same request interpretation, thereby removing the risk of protocol-level evasions.
What Triggerfish's users say
Our typical customer has a high-performing app with lots of user data where it is possible to interact with company-specific information. Normally, they have their entire business on their web app, and their users are demanding a high level of security – for example, e-commerce companies, online gaming companies, logistics companies with web-based booking, municipalities with webmail, government unions with member pages, and power companies or alarm companies with "my pages". Here are reviews from some of our customers:
"Triggerfish has helped us become much more aware of what is happening on our web app. Previously, we have closed our eyes because we didn’t want to face the reality. With the help of Triggerfish's insight of our web app, we now have a much more secure, robust and user-friendly e-commerce site."
"With Triggerfish, we have developed processes to daily improve security and reduce our application error. We can easily and quickly obtain information about new application errors that arise and get information on how to prioritize them. We have today a better understanding of the state of our site."
"Triggerfish has been able to stop a number of manual attack attempts that could have had devastating consequences. Because our customers assume that we have a high level of security it would have been very bad for our company's reputation and goodwill if these attacks had not been stopped."
Got questions? Good – because we've got answers!
Triggerfish is compatible with .NET (including SharePoint), Java, and PHP web applications.
Sensitive information – such as credit card numbers, passwords, and session IDs – is filtered before being sent to us.
To obtain a high level of security, every customer’s reporting tool runs on an isolated virtual machine that’s integrated with a database that is not shared with other customers.
Our measurements on Triggerfish indicate that the overhead is in the order of one millisecond per request. The analysis is only CPU-bound performance-wise; there is no I/O involved.
Triggerfish is able to detect potential vulnerabilities in your web app. For example, a SQL vulnerability can be detected by a SQL syntax error with reference to non-existing columns, tables, or functions occurring in the application. If this happens while a user submits something that looks like a SQL injection attempt, you can be fairly certain that there is a SQL vulnerability on the web app.
Triggerfish is installed as a library in the client application. The library is delivered as a .NET assembly or a JAR file that provides both an HttpModule/ServletFilter that reviews all HTTP requests and a public API for so-called "triggers" that can be called from your application. Triggers can easily be added in selected locations in your source code to customize the installation for your business or web application's needs.
The price of using Triggerfish is customer specific and is based on the size of your site, the amount of traffic it gets, etc.
Contact us for pricing examples!