Module 9: Investigating Web Attacks

Apache Log Parameters

- %l: represents the remote log name. The latter returns a dash unless mod_ident is present and IdentityCheck is enabled. - %h: represents the client's IP address. - %u: is the client user ID. - %t: represents the time when the server received the request in the following format: [day/month/year:hour:minute:second zone].

Regex Searches

- /((\%3C)|<)[^\n]+((\%3E)|>)/I: Paranoid Regex for CSS Attacks - /((\%3C)|<)((\%2F)|\/)*[a-ZA-Z0-9\%]+((\%3E)|(\%253E)|>)/ix: Regex for Detecting Simple XSS Attack - /((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I: Regex for Detecting "<img src" XSS Attack - /(javascript|vbscript|script|embed|object|iframe|frameset)/i: Regex for HTML Tags-Based XSS Attempt.

IDS

- A security software or hardware device that inspects ALL inbound and outbound network traffic for suspicious patterns that may indicate a network or system security breach - Checks traffic for signatures that match known intrusion patterns and raises an alarm when a match is found - Depending on the traffic to be monitored, the IDS is placed outside/inside the firewall to monitor suspicious traffic originating from outside/inside the network

Apache Web Server Logs

- Access log: Generally records all the requests processed by the Apache web server - Error log: Contains diagnostic information and errors that the server faced while processing requests - RHEL/Red Hat/CentOS/Fedora Linux: /usr/local/etc/apache22/httpd.conf - Debian/Ubuntu Linux: /etc/apache2/apache2.conf - FreeBSD: /etc/httpd/conf/httpd.conf - Provide info about web application activities such as: IP address of client Ident of the client machine User ID of the client Time request line from client Status code Size of the object returned to the client

Web Attack Investigation Methodology

- Conduct individual interviews to obtain information on a security attack targeting any web application - Locate the servers or other devices that are involved in the security attack, take them offline, and perform seizure in a forensically sound manner - Follow the process of forensic image acquisition and duplication - Collect logs from the web server, application server, database server, web application firewall, local system events, SIEM tool, and IDS, along with application and server configuration files - Use encryption and checksum to verify and protect the integrity of log files - Analyze the working copies of collected logs to look for suspicious entries and correlate the data to build a chain of events unfolding the whole attack scenario - Trace the attacking IP to identify the perp of the attack (attackers often use proxies and anonymizers to hide their identity) - Document every step of the investigation

Apache Access Logs

- Contains requests processed by the Apache server - The default locations of access logs are: RHEL/Red Hat/CentOS/Fedora Linux: /var/log/httpd/access_log Debian/Ubuntu Linux: /var/log/apache2/access.log FreeBSD Linux: /var/log/httpd-access.log

Web Application Threats

- Cookie Poisoning - SQL Injection - Injection Flaws - Cross-site Request Forgery - Directory Traversal - Unvalidated Input - Cross-site Scripting (XSS) - Sensitive Data Exposure - Parameter/Form Tampering - DoS - Broken Access Control - Security Misconfiguration - Information Leakage - Improper Error Handling - Buffer Overflow - Insufficient Logging and Monitoring - Broken Authentication - Log Tampering

Indicators of a Web Attack

- Customers being unable to access services - Suspicious activities in user accounts - Leakage of sensitive data URLs redirecting to incorrect sites - Web page defacements - Unusually slow network performance - Frequent rebooting of the server - Anomalies in log files - Error messages such as "internal server error", "problem processing your request", and "page not found"

Web Application Firewall (WAF)

- Deployed to inspect, filter, and block the incoming and outgoing HTTP traffic on web applications - Provides a security layer that protects web applications from malicious traffic - Either appliance-based or cloud-based, and is deployed through a proxy placed ahead of the web application - Uses a rule-based filter that monitors and analyzes the traffic before it reaches the web application - Designed to protect web applications from a range of web exploits and attacks, which include the following: SQL injection Cross-site scripting (XSS) Local file inclusion (LFI) Directory traversal attack Remote code execution (RCE) Session fixation attack

Apache Error Logs

- Diagnostic information and error messages that it encounters while processing requests in the error logs - The default locations of error logs are as follows: RHEL/Red Hat/CentOS/Fedora Linux: /var/log/httpd/error_log Debian/Ubuntu Linux: /var/log/apache2/error.log FreeBSD: /var/log/httpd-error.log

Challenges in Web Application Forensics

- Due to the distributed nature of web applications, traces of activities are recorded across numerous hardware and software components - Very limited or no downtime is allowed for investigation - Web application forensics requires the analysis and correlation of huge volumes of logs - It also requires complete knowledge of different web servers, application servers, databases and underlying applications - Tracing back is difficult in case of reverse proxies and anonymizers

Snort Rules

- Help in differentiating between normal internet activities and malicious activities - Written in a single line; the parser does not handle rules on multiple lines - Come with two logical parts Rule header: identifies the rule actions such as alert, log, pass, activate, and dynamic Rule options: identifies the rule's alert messages

Investigating XSS Attack

- In this type of attack, the attackers bypass the client's ID security mechanisms and gain access privileges. Subsequently, they inject the malicious scripts into specific fields in the web pages. - Investigators can use regex search to find HTML tags, other XSS signature works, and their hex equivalents in web server logs, IDS logs, WAF logs, and SIEM tool alerts to check for XSS attacks

More Web Application Threats

- Insecure Direct Object References - Insufficient Transport Layer Protection - Insecure Cryptographic Storage - Unvalidated Redirects and Forwards - Cookie Snooping - Session Fixation Attack - Authentication Hijacking - Security Management Exploits - XML External Entities - CAPTCHA Attacks - Insecure Deserialization - Failure to Restrict URL Access

Web Application Forensics

- Involves tracing back a security attack that occurred on any web application to identify its origin and how it was penetrated - Includes the collection and analysis of log and configuration files associated with the web server, application server, database server, system events, etc. to determine the cause, nature and perpetrator of a web exploit

Investigating SQL Injection Attacks

- Look for SQL Injection attack incidents in the following locations: IDS log files Web server log files WAF log files SIEM-triggered alerts - Perform regex search in the log files to look for the presence of SQL-specific meta-characters such as the single-quote, the double-dash, the equals sign, and the semi-colon as well as their hex equivalents

Investigating XML External Entity (XXE) Attack

- Look for XML input in plain text or its hex equivalents in the query string and determine whether the input is malicious

Investigating Brute Force Attack

- Look for source Ips that are generating a large number of failed logins within a short time, the account on which the attack is attempted and whether it has been successful

ModSecurity Audit Log File

- Part K: This part contains a list of rules that matched during the processing of the transaction. - Part I: This part serves as an alternative to part C and presents the request body without the files. - Part E: This part, which contains the actual transaction response body, is generated only if a transaction was intercepted by ModSecurity. - Part Z: This mandatory part marks the end of the audit log entry. - Part F: This part includes response headers that are sent to the client. It also shows the HTTP status response sent by the web server to the client. - Part B: This part includes request headers along with the request line, and it contains details on the type of request sent by the client. - Part J: This part contains information on uploaded files. - Part G: If opted for, this part includes the response body.

Investigating Path/Directory Traversal Attack

- Path or directory traversal attacks include manipulation of web application input fields with (../) sequences or their variations to refer to files or directories placed outside the root directory of the web server - Attackers can use multiple obfuscation techniques to avoid detection - While examining web server logs, IDS logs, WAF logs, or SIEM alerts for path/directory traversal attack, investigators look for query strings that include ../ sequences or their encoded variations, and identify which filename/directory has been referenced by the attacker

IIS Logs

- Provides useful information regarding the activity of various web applications, such as the client IP address, username, date and time, request type, and target of operation - The IIS server generates ASCII text-based log files - On Windows Server OSes, the log files are stored by default in %SystemDrive%\inetpub\logs\LogFiles

Regex Search for SQL Attacks

- Regular expression for detecting SQL meta-characters: /(\%27)|(\')|(\-\-)|(\%23)|(#)/ix - Modified Regular expression for detecting SQL meta-characters: /((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i - Regular expression for detecting a typical SQL injection attack: /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix - Regular expression for detecting SQL injection with the UNION keyword: /((\%27)|(\'))union/ix - Regular expression for detecting SQL injection attack on an MSSQL server: /exec(\s|\+)+(s|x)p\w+/ix

Investigating Web Attacks on Windows-based Servers

- Run Event Viewer to view the logs C:\> eventvwr.msc - Check if the following suspicious events have occurred: Event log service has ended Windows file protection is inactive on the system MS telnet service is running - Find out whether the system has failed login attempts or locked-out accounts - Review file shares to ensure their purpose Net view <IP address> - Verify the users using open sessions Net session - Check if the sessions have been opened with other systems Net use - Analyze at NetBIOS over TCP/IP activity Nbtstat -s - Find if TCP and UDP ports have unusual listening Netstat -na - Find scheduled and unscheduled tasks on the local host Schtasks.exe - Check for the creation of new accounts in the administrator group Start > Run > lusrmgr.msc > OK - Check whether any unexpected processes are running in Task Manager Start > Run > taskmgr> OK - Check for unusual network services Net start - Check file space usage to find any sudden decrease in free space Dir

How IDS Detects an Intrusion

- Signature Recognition - Anomaly Detection - Protocol Anomaly Detection

Investigating Command Injection Attack

- The command injection vulnerability allows attackers to gain complete control of the host OS running the web server, enabling them to execute system-level commands within a web application environment - While examining log files for command injection attack, investigators should look for common command injection vectors given below that help attackers attach a shell operator to an input string

Apache Core Elements

- http_main: This element handles server startups and timeouts. It also consists of the main server loop that waits for the connections and accepts them. - http_request: This element controls the stepwise procedure followed among the modules to complete a client request and is responsible for error handling. - http_core: This element includes a header file that is not required by the application module. - http_protocol: This element is responsible for managing the routines. It interacts with the client and handles all the data exchange and socket connections between the client and server.

Example of an IIS Log Entry

2019-12-12 06:11:41 192.168.0.10 GET /images/content/bg_body_1.jpg - 80 - 192.168.0.27 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/48.0.2564.103+Safari/537.36 http://www.moviescope.com/css/style.css 200 0 0 365 In the above entry: - 2019-12-12 06:11:41: This shows the date and time when the log file entry was recorded - 192.168.0.10: This shows the server IP address - GET: This is the cs-method field indicating that the user issued a GET request or download command - /images/content/bg_body_1.jpg: This is the cs-uri-stem field indicating that the user wanted to download the bg_body_1.jpg file from the Images folder - §-: This denotes to the cs-uri-query field. A "hyphen" here indicates that the URI query did not occur - 80: This shows the server port - §-: This is the cs-username field. A "hyphen" here indicates that the user was anonymous - 192.168.0.27: This shows the IP address of the client - Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/48.0.2564.103+Safari/537- .36: This is the cs(User-Agent) field showing the browser details used by the client - http://www.moviescope.com/css/style.css: This is the cs(Referer) field showing webpage that provided the link to the website - 200: This denotes the sc-status field. Status code 200 indicates that the request was fulfilled without error - 365: This indicates the time-taken field. In the example log entry, the action was completed in 365 milliseconds

Example of an IIS Log Entry 2

2019-12-12 06:11:41 192.168.0.10 GET /images/content/bg_body_1.jpg - 80 - 192.168.0.27 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/48.0.2564.103+Safari/537.36 http://www.moviescope.com/css/style.css 200 0 0 365 In the above entry: - 2019-12-12 06:11:41: This shows the date and time when the log file entry was recorded - 192.168.0.10: This shows the server IP address - GET: This is the cs-method field indicating that the user issued a GET request or download command - /images/content/bg_body_1.jpg: This is the cs-uri-stem field indicating that the user wanted to download the bg_body_1.jpg file from the Images folder - §-: This denotes to the cs-uri-query field. A "hyphen" here indicates that the URI query did not occur - 80: This shows the server port - §-: This is the cs-username field. A "hyphen" here indicates that the user was anonymous - 192.168.0.27: This shows the IP address of the client - Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/48.0.2564.103+Safari/537.36: This is the cs(User-Agent) field showing the browser details used by the client - http://www.moviescope.com/css/style.css: This is the cs(Referer) field showing webpage that provided the link to the website - 200: This denotes the sc-status field. Status code 200 indicates that the request was fulfilled without error. - 365: This indicates the time-taken field. In the example log entry, the action was completed in 365 milliseconds

Cookie Snooping

By using a local proxy, an attacker can decode or crack user credentials. Once the attacker gains these plaintext credentials, they log into the system as a legitimate user and gain access to unauthorized information.

ModSecurity debug log levels

Description 0 -> No Logging 1 -> Errors 2 -> Warning 3 -> Notice 4 -> Information on how transactions are managed 5 ->More detailed 6 -> Logging everything

Tailgating

Implies accessing a building or secured area without the consent of the authorized person. It is the act of following an authorized person through a secure entrance, as a polite user would open and hold the door for those following them.

Unvalidated Redirects and Forwards

In this type of attack, the attackers lure the victim and make them click on unvalidated links that appear legitimate. Such redirects may lead to the installation of malware or trick the victims into sharing their passwords or other sensitive information.

Dumpster Diving

Looking for treasure in someone else's trash.

Insecure Deserialization

Serialization and deserialization are effective processes that enable data structures to be stored or transmitted to other locations, such as networks or systems, while preserving the state of the object.

Attack Vector

The path or means by which an attacker can gain access to computer or network resources in order to deliver an attack payload or cause a malicious outcome

Piggybacking

The process of connecting to a wireless network without the permission of the owner of the network.

Session Fixation Attack Steps

The steps involved in this attack are as follows: 1. The attacker visits the bank website and logs in using his credentials 2. The web server sets a session ID on the attacker's machine 3. The attacker sends an email to the victim that contains a link with a fixed session ID 4. The victim clicks the link and is redirected to the bank website 5. The victim logs into the server using their credentials and fixed session ID 6. The attacker logs into the server using the victim's credentials with the same session ID