Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Why don't we see more examples of web app attacks via POST? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Why don't we see more examples of web app attacks via POST?

Was just browsing my web logs again, and came across this stupid little SQL injection attempt:

GET //diary.html?storyid=3063//////////////-999.9+union+select+0-- HTTP/1.1

There were more like it. The reason I call this "stupid and simple" is that it probably didn't even work if I was vulnerable (mysql at least requires a space after the comment). So I was looking for other attempts (I found a few) but they had similar elemental mistakes, or used well known "bad" user agents that are frequently blocked (Firefox 3.5.9 ?! Really?)

So I was wondering: Why don't I see ever "better" attacks? One issue may be that web logs usually don't capture the "POST" request data. If you capture it at all, you capture it using a WAF or IDS if the request was suspect. Also, capturing full posts presents other problems. The data could be quite large, and may contain personal data that should better not be logged (usernames and passwords). 

Anybody got a good way of logging "sanitized" POST requests?

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3693 Posts
ISC Handler
Hello,

Indeed, in nearly every forensic case regarding web incidents I had to approach, logging was limited to GET requests.

The 3 main reasons appear to be: Missing knowledge, laziness and memory issue (sometimes explained as performance issues).

Regards,

Marc
MarcRuef

2 Posts
Hello,
capturing POST requests can be indeed a problem if you run a website storing sensitive user information.

Another way raw request logging can be done, for Apache users, is to set up the mod_security module to log POST requests in the audit log. If you don't want to log everything, mod_security allows you to define filters for the kind of requests you want to log. As you mentioned, you may be wanting to avoid logging requests to specific pages, or those containing certain keywords (e.g, 'password'). This can be done with this extension.

If you're interested in a study that used this kind of information (logging of full raw HTTP requests) as starting point to understand how and why web attacks are carried out, you can have a look at the paper we published at NDSS this year: "Behind The Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web" (http://www.s3.eurecom.fr/docs/ndss13_canali.pdf)

Regards,

Davide
MarcRuef
1 Posts
ModSecurity (http://www.modsecurity.org/) has this functionality and at the right price too!

sanitiseArg - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseArg
sanitiseMatched - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatched
sanitiseMatchedBytes - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatchedBytes
sanitiseRequestHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseRequestHeader
sanitiseResponseHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseResponseHeader
MarcRuef
2 Posts
For my webserver (a modified nweb). I do see POSTs from time to time.
INFO: Addr:78.106.241.99:993
INFO: Date:Fri May 10 01:33:03 PDT 2013
:993
INFO: request:POST http://m.odnoklassniki.ru/dk?bk=GuestMain&st.cmd=main&tkn=3\711 HTTP/1.0**Host: m.odnoklassniki.ru**X-Requested-With: XMLHttpRequest**Accep\t: application/json, text/javascript, */*; q=0.01**Connection: close**Content-L\ength: 117**Content-Type: application/x-www-form-urlencoded****:993

...

INFO: Addr:67.19.128.202:2150
INFO: Date:Tue Jun 11 16:17:59 PDT 2013
:2150
INFO: request:POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%\75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D\%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6\E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6\F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%\65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1\.1**Host: X.Y.Z.Q**User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +\http://www.google.com/bot.html)**Content-Type: application/x-www-form-urlencode\d**Connection: Close**Content-Length: 263****:2150

That last is of course:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

I understand the second, I don't quite see where the .ru author is going in the first POST.

Anonymous

Sign Up for Free or Log In to start participating in the conversation!