Was just browsing my web logs again, and came across this stupid little SQL injection attempt: GET //diary.html?storyid=3063//////////////-999.9+union+select+0-- HTTP/1.1 There were more like it. The reason I call this "stupid and simple" is that it probably didn't even work if I was vulnerable (mysql at least requires a space after the comment). So I was looking for other attempts (I found a few) but they had similar elemental mistakes, or used well known "bad" user agents that are frequently blocked (Firefox 3.5.9 ?! Really?) So I was wondering: Why don't I see ever "better" attacks? One issue may be that web logs usually don't capture the "POST" request data. If you capture it at all, you capture it using a WAF or IDS if the request was suspect. Also, capturing full posts presents other problems. The data could be quite large, and may contain personal data that should better not be logged (usernames and passwords). Anybody got a good way of logging "sanitized" POST requests?
------ |
Johannes 4479 Posts ISC Handler Jul 16th 2013 |
Thread locked Subscribe |
Jul 16th 2013 8 years ago |
Hello,
Indeed, in nearly every forensic case regarding web incidents I had to approach, logging was limited to GET requests. The 3 main reasons appear to be: Missing knowledge, laziness and memory issue (sometimes explained as performance issues). Regards, Marc |
MarcRuef 3 Posts |
Quote |
Jul 17th 2013 8 years ago |
Hello,
capturing POST requests can be indeed a problem if you run a website storing sensitive user information. Another way raw request logging can be done, for Apache users, is to set up the mod_security module to log POST requests in the audit log. If you don't want to log everything, mod_security allows you to define filters for the kind of requests you want to log. As you mentioned, you may be wanting to avoid logging requests to specific pages, or those containing certain keywords (e.g, 'password'). This can be done with this extension. If you're interested in a study that used this kind of information (logging of full raw HTTP requests) as starting point to understand how and why web attacks are carried out, you can have a look at the paper we published at NDSS this year: "Behind The Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web" (http://www.s3.eurecom.fr/docs/ndss13_canali.pdf) Regards, Davide |
MarcRuef 1 Posts |
Quote |
Jul 17th 2013 8 years ago |
ModSecurity (http://www.modsecurity.org/) has this functionality and at the right price too!
sanitiseArg - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseArg sanitiseMatched - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatched sanitiseMatchedBytes - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatchedBytes sanitiseRequestHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseRequestHeader sanitiseResponseHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseResponseHeader |
MarcRuef 2 Posts |
Quote |
Jul 17th 2013 8 years ago |
For my webserver (a modified nweb). I do see POSTs from time to time.
INFO: Addr:78.106.241.99:993 INFO: Date:Fri May 10 01:33:03 PDT 2013 :993 INFO: request:POST http://m.odnoklassniki.ru/dk?bk=GuestMain&st.cmd=main&tkn=3\711 HTTP/1.0**Host: m.odnoklassniki.ru**X-Requested-With: XMLHttpRequest**Accep\t: application/json, text/javascript, */*; q=0.01**Connection: close**Content-L\ength: 117**Content-Type: application/x-www-form-urlencoded****:993 ... INFO: Addr:67.19.128.202:2150 INFO: Date:Tue Jun 11 16:17:59 PDT 2013 :2150 INFO: request:POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%\75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D\%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6\E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6\F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%\65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1\.1**Host: X.Y.Z.Q**User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +\http://www.google.com/bot.html)**Content-Type: application/x-www-form-urlencode\d**Connection: Close**Content-Length: 263****:2150 That last is of course: /phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n I understand the second, I don't quite see where the .ru author is going in the first POST. |
Anonymous |
Quote |
Jul 24th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!