Investigating Web Attacks Flashcards
Web Forensic Challenges
- Web applications are generally distributed in nature
- Traces of activities are recorded across a number of hardware and software infrastructures
- Very limited or no downtime is allowed for investigation
- Huge volume of logs from different sources are analyzed and correlated
- Large databases are analyzed
- Requires complete knowledge of different web servers, application servers, databases and underlying applications
- Tracing back is difficult in case of reverse proxies and anonymizers
OWASP Web vulnerability Top 10:
The OWASP Top 10 is an awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Buffer Overflow
Occurs when an application fails to guard its buffer properly and allows writing beyond its maximum size. As a result, it overwrites the adjacent memory locations. There are multiple forms of buffer overflow, including a Heap Buffer Overflow and a Format String Attack. The purpose of these attacks is to corrupt the execution stack of the web application.
Cookie Poisoning
Refers to the modification of a cookie for bypassing security measures or gaining unauthorized information.
Insecure Storage
Sensitive information such as account records, credit card numbers, or passwords are generally stored in a database. If the developers make any mistakes while enforcing the encryption techniques on a web application or ignore the security aspects of some parts of the application, this sensitive information might be at risk. You should understand the processes used to store the data.
Information Leakage
Information leakage refers to the unintentional revelation of sensitive information to an unauthorized user.
Improper Error Handling
When a web application is unable to handle internal errors properly. In such case, the website returns information, such as database dumps, stack traces, and error codes in the form of errors.
Broken Account Management
Refers to vulnerable account management functions including account update, recovery of the forgotten or lost password or resetting the password.
Directory Traversal
When attackers exploit HTTP by using directory traversal, they gain access to the unauthorized directories. Then, the attackers may execute commands outside the web server’s root directory.
Parameter/Form Tampering
Manipulating the communication parameters exchanged between the client and server to make changes in the application data. A Man in the Middle (MitM) is one of the examples of this type of attack.
Denial of Service (DoS)
Making the resources of the web server unavailable to clients.
Log Tampering
Web applications maintain logs to track the usage patterns, such as admin login credentials and user login credentials. The attackers usually inject, delete or tamper the web application logs to engage in malicious activities or hide their identities.
Unvalidated Input
In order to bypass the security system, the attackers tamper with the URL, HTTP requests, headers, hidden fields, form fields, query strings, etc. User login IDs and other related data get stored in the cookies and this becomes a source of attack. Examples of attacks that caused un validated input include SQL injection, cross-site scripting (XSS), buffer overflows, etc.
Injection Flaws
Attackers inject malicious code, commands or scripts into the input gates of flawed web applications in such a way that the applications interpret and run the malicious input, which in turn allows them to extract sensitive information.
Cross Site Request Forgery (CSRF)
Forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Broken Access Control
An attacker identifies a flaw related to access control and bypasses the authentication, and then compromises the network.
Insecure Direct Object References
When developers expose various internal implementation objects such as files, directories, or database records, it can result in a direct object reference that provides an attacker the ability to gain unauthorized access to system resources.
Insecure Direct Object References
When developers expose various internal implementation objects such as files, directories, or database records, it can result in a direct object reference that provides an attacker the ability to gain unauthorized access to system resources.
SSL/TLS Downgrade Attack
Browsers are susceptible to protocol downgrade attacks; an active MITM can simulate failure conditions and force all browsers to downgrade from attempting to negotiate TLS 1.2, making them fall back to SSL 3. At that point, a cryptographic attack could be successfully attempted, such as the POODLE attack.
Failure to Restrict URL Access
An attacker tries to bypass the website security using techniques, such as forced browsing, and gains unauthorized access to specific web pages or other data files containing sensitive information.
Cookie Snooping
An attacker using a local proxy decodes or cracks user credentials. Once the attacker gains these plain text credentials, he/she logs into the system as a legitimate user and gains access to unauthorized information.
Authentication Hijacking
Attackers try to hijack credentials using various attack techniques like sniffing, social engineering, etc. Once they obtain these credentials, they carry out malicious acts, including session hijacking, service theft, and user impersonation.
Hidden Field Manipulation
attackers manipulate hidden fields and change the data stored in them. This sort of attack is focused on e-commerce sites.
Unvalidated Redirects and Forwards
Attackers lure the victim and make them click on unvalidated links that appear to be legitimate. Such redirects may lead to the installation of malware or trick the victims into sharing their passwords or other sensitive information.
Session Fixation Attack
the attacker tricks the user into accessing a genuine web server using an explicit session ID value. The attacker assumes the identity of the victim and exploits those credentials at the server.
The steps involved are as follows:
1. The attacker visits the target website and logs in using his/her credentials.
2. The web server sets a session ID on the attacker’s machine.
3. The attacker sends an email containing a link with a fixed session ID to the targeted user.
4. The user clicks on the link and is redirected to the website.
5. The user logs into the server using their credentials and fixed session ID.
6. The attacker logs into the server using the victim’s credentials with the same session ID.
IIS Record Logs
IIS records logs using UTC, which helps in synchronizing the servers in multiple zones. For calculating UTC, Windows offsets the value of the system clock with the system time zone. The administrator should also verify the process IIS is set to roll over logs using the local time. The server’s time zone setting can be verified by looking at the first entries in the log file. If the server is set to UTC -08:00, then the first log entries should appear around 16:00 (00:00 - 08:00 = 16:00). Because UTC does not follow daylight savings, the administrator must also consider the date. For example, UTC -8:00 will be -7:00 half the year.
Web Architecture Layer
Client/User
Web Server
Business
Database
Client/User Layer
Includes all the web appliances, such as smartphones and PCs, using which a user interacts with a web application deployed on a web server. The user requests for a website by entering a URL in the web browser and the request traverses to the web server. The web server responds to the request and the web browser displays the response in the form of a website
Web Server Layer
Contains components that parse the request (HTTP Request Parser) coming from the clients and forwards the response to them. It holds all the business logics and databases that are responsible for building websites and store data in them. Example: IIS Web Server, Apache Web Server, etc. In some cases, the users access the application through the presentation layer, which serves as an intermediary between the user and the Web Server. This layer includes the user interface components. The presentation layer is not an absolute requirement and the client layer can interact directly with the service layer.
Business Layer
Is responsible for the core functioning of the system and includes business logic and applications, such as .NET that is used by the developers to build websites according to the clients’ requirements. This layer also holds a legacy application, an older system integrated as an internal or external component
Database Layer
Comprises of cloud services, B2B layer that holds all the commercial transactions and a Database Server that supplies an organization’s production data in a structured form. Example: MS SQL Server, MySQL server, etc.
Database Layer
Comprises of cloud services, B2B layer that holds all the commercial transactions and a Database Server that supplies an organization’s production data in a structured form. Example: MS SQL Server, MySQL server, etc.
IIS Web Server Architecture
Internet Information Server (IIS), a Microsoft-developed application, is a Visual Basic code application that lives on a Web server and responds to requests from the browser. It supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. An IIS application uses HTML to present its user interface and uses compiled Visual Basic code to process the requests and respond to events in the browser. IIS for Windows Server is a flexible and easy-to-manage Web server for web hosting.
IIS Components
Protocol listeners (HTTP.sys) Web services like World Wide Web Publishing Service (WWW service) Windows Process Activation Service (WAS)
IIS Component Responsibilities
Listening to the requests coming from the server
Managing processes
Reading configuration file
Where are IIS Logs stored for Win 2012
On Windows Server 2012, the log files are stored by default in the %SystemDrive%\inetpub\logs\LogFile
Apache Core Components
The Apache Core
The Apache Modules
What does the Apache Core do?
Deals with all the basic functionalities of the server, such as allocating requests, maintaining and pooling connections.
What does the Apache Module do?
Simple Add-Ons
What are the elements of the Apache Core?
http_protocol: This element is responsible for managing the routines, which interacts with the client and takes care of all the data exchange and socket connections between the client and the server.
http_main: This element handles the server startups and timeouts. It also consists of the main server loop that waits for the connections and accepts them.
http_request: This element controls the step by step procedure involved between the modules to complete a client request and is also responsible for error handling.
http_core: This element is hardly functional enough to serve documents.
Alloc.c: This element handles the allocation of resource pools.
http_config: This element is responsible for reading and handling the configuration files. One of the main tasks of http_config is that it arranges all the modules, which the server will call during various phases of the request handling.
Common Apache Log Format
%h %l %u %t "%r" %>s %b is the common percent directive log format.
%h represents the client’s IP address
%l represents the Remote log name. This will return a dash unless mod_ident is present and IdentityCheck is set on
%u is the client user ID
%t represents the time when the server received the request. It is displayed in the format [day/month/year:hour:minute:second zone]
"%r" indicates the methods used for a request-response between a client and server, the resource requested by a client (apache_pb.gif), and the protocol used (HTTP/1.0)
%>s represents the status code which the server sends back to the client
%b represents the size of the object which the server sends to the client
What are the two types of Apache logs?
Error
Access
Apache Error Logs
The Apache Error Log is the location where the server records all the errors that occurred during the client request processing. The ErrorLog directive sets the location of the error log. The log file contains data pertaining to the issues in the server’s startup and operation. It also stores information related to the reason behind the issue and the steps involved in resolving it. The investigators need to use Linux applications like grep, cat, gedit or vi to read these log files.
The default location of error logs:
RHEL/Red Hat/CentOS/Fedora Linux: /var/log/httpd/error_log
Debian/Ubuntu Linux: /var/log/apache2/error.log
FreeBSD: /var/log/httpd-error.log
Apache Access Logs
Requests processed by the Apache server are contained in the access log. It has a record of every request that goes through the server. The LogFormat directive helps in selecting the required log contents. The CustomLog directive sets the location and content of the Access log. The CustomLog directive also has the information to configure the server in such a way that the server can maintain access log records. The access logs are stored in the Common Log format by default and are highly configurable
The default location of access logs:
RHEL/Red Hat/CentOS/Fedora Linux: /var/log/httpd/access_log
Debian/Ubuntu Linux: /var/log/apache2/access.log
FreeBSD Linux: /var/log/httpd-access.log
Check the following locations for Apache configuration file to find the exact location of the log files:
RHEL/Red Hat/CentOS/Fedora Linux: /usr/local/etc/apache22/httpd.conf
Debian/Ubuntu Linux: /etc/apache2/apache2.conf
FreeBSD: /etc/httpd/conf/httpd.conf
Apache Access Log/Common Log Format Example:
10.10.10.10 - jason [17/Aug/2016:00:12:34 +0300] “GET /images/content/bg_body_1.jpg HTTP/1.0” 500 145
- 10.10.10 (%h): IP Address of the client/remote host
- (%l): The requested information is not available
jason (%u): User ID of the person who sent the request
[17/Aug/2016:00:12:34 +0300] (%t): The time at which the server finished processing the request. +03 UTC represents East Africa Time Zone.
“GET /images/content/bg_body_1.jpg HTTP/1.0” ("%r"): The client used GET request method, and he/she requested the resource
/images/content/bg_body_1.jpg. The client used HTTP/1.0 protocol.
200 (%>s): The status code represents that the response was successful
1458 (%b): The server returned the object of size 1458 bytes to the client
Apache Error Log example:
[Mon Sep 16 14:25:33.812856 2016] [core:error] [pid 12485:tid 8589745621] [client 10.10.255.14] File does not exist: /images/content/bg_body_1.jp
Anatomy of the Log:
Mon Sep 16 14:25:33.812856 2016
This is the first element in the log entry. It contains the timestamp (day, month, date, time, and year) of the log.
core:error The second element in the log describes the module producing the message. In this case, the Apache core is producing the message describing the security level (error).
pid 12485:tid 8589745621
The next element in the log contains the process ID and its corresponding thread ID.
client 10.10.255.14
The fourth element in the log is the client address that made the request.
File does not exist: /images/content/bg_body_1.jpg The final element in the log displays the status of the file, which the client has requested. In this case, the file does not exist. So, it displayed an error message stating the file does not exist on the server.
Code with char encoding
http://www.bank.com/accounts.php?id=1%252f%252a/union%252f%252a /select%252f%252a/1,2,3%252f%252a/from%252f%252a/users–
Deep Log Analyzer
The Deep Log Analyzer is a web analytics solution for small and medium size websites. It analyzes web site visitors’ behavior and gets the complete website usage statistics in easy steps.
WebLog Expert
WebLog Expert is an access log analyzer which provides information about the site’s visitors: activity statistics, accessed files, paths through the site, information about referring pages, search engines, browsers, operating systems, etc. The program generates reports that include both text information tables and charts.
Apache Logs Viewer (ALV)
Apache Logs Viewer (ALV) enables you to view, monitor, and analyze the Apache/IIS/nginx logs.
AWStats
AWStats is a graphical tool that generates the web, streaming, ftp or mail server statistics. This log analyzer works as a CGI or from the command line and shows all possible information your log contains.
Nagios Log Server
Nagios Log Server is a Centralized Log Management, Monitoring and Analysis Software. It simplifies the process of searching your log data. It sets up alerts to notify you when potential threats arise or simply query your log data to audit any system. Here, all log data are present in one location.
Splunk
Splunk Enterprise helps in collection and analysis and acts upon the untapped value of the big data, which is generated by user’s technology infrastructure, security systems, and business applications—giving you the insights to drive operational performance and business result
Web Log Storming
Web Log Storming is a web server log file analyzer (IIS, Apache, and Nginx) for Window
LogCruncher
LogCruncher is a tool for analysis and data visualization of web server log files. It allows the user to see and understand the website analytics based on key metrics.
GoAccess
GoAccess is an open source real-time web log analyzer and interactive viewer that runs in a terminal in *nix systems or through your browser. It provides HTTP statistics for system administrators that require a visual server report.
HTTP-ANALYZE
The http-analyze is a log file analyzer for web servers. It runs on any platform conforming to the ANSI C and POSIX standards ranging from personal computers to high-performance systems.
Active LogView
Active LogView is a log analysis program that provides analysis of total requests, unique visits, advanced referrers list, hourly summary, user agents list, OS list, advanced filtration, advanced search and more.
Webalizer
The Webalizer is a web server log file analysis program. It produces detailed, configurable usage reports in HTML format, for viewing with a standard web browser
SmartWhois
SmartWhois is a network information utility that allows you to look up all the available information about an IP address, hostname or domain, name of the network provider, administrator, and technical support contact information. It supports Internationalized Domain Names (IDNs) and also fully supports IPv6 addresses
ActiveWhois
ActiveWhois is a network tool for Windows which is used to find any information about the owners of IP address or Internet domain. You can determine the country, personal and postal addresses of the owner, and user of IP address and domains. ActiveWhois also allows users to explore DNS aliases
