Why don't we see more examples of web app attacks via POST?

Why don't we see more examples of web app attacks via POST?
Was just browsing my web logs again, and came across this stupid little SQL injection attempt: GET //diary.html?storyid=3063//////////////-999.9+union+select+0-- HTTP/1.1 There were more like it. The reason I call this "stupid and simple" is that it probably didn't even work if I was vulnerable (mysql at least requires a space after the comment). So I was looking for other attempts (I found a few) but they had similar elemental mistakes, or used well known "bad" user agents that are frequently blocked (Firefox 3.5.9 ?! Really?) So I was wondering: Why don't I see ever "better" attacks? One issue may be that web logs usually don't capture the "POST" request data. If you capture it at all, you capture it using a WAF or IDS if the request was suspect. Also, capturing full posts presents other problems. The data could be quite large, and may contain personal data that should better not be logged (usernames and passwords). Anybody got a good way of logging "sanitized" POST requests? ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019	Johannes 3481 Posts ISC Handler
Reply Subscribe	Jul 16th 2013 5 years ago
Hello, Indeed, in nearly every forensic case regarding web incidents I had to approach, logging was limited to GET requests. The 3 main reasons appear to be: Missing knowledge, laziness and memory issue (sometimes explained as performance issues). Regards, Marc	MarcRuef 2 Posts
Reply Quote	Jul 17th 2013 5 years ago
Hello, capturing POST requests can be indeed a problem if you run a website storing sensitive user information. Another way raw request logging can be done, for Apache users, is to set up the mod_security module to log POST requests in the audit log. If you don't want to log everything, mod_security allows you to define filters for the kind of requests you want to log. As you mentioned, you may be wanting to avoid logging requests to specific pages, or those containing certain keywords (e.g, 'password'). This can be done with this extension. If you're interested in a study that used this kind of information (logging of full raw HTTP requests) as starting point to understand how and why web attacks are carried out, you can have a look at the paper we published at NDSS this year: "Behind The Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web" (http://www.s3.eurecom.fr/docs/ndss13_canali.pdf) Regards, Davide	MarcRuef 1 Posts
Reply Quote	Jul 17th 2013 5 years ago
ModSecurity (http://www.modsecurity.org/) has this functionality and at the right price too! sanitiseArg - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseArg sanitiseMatched - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatched sanitiseMatchedBytes - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatchedBytes sanitiseRequestHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseRequestHeader sanitiseResponseHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseResponseHeader	MarcRuef 2 Posts
Reply Quote	Jul 17th 2013 5 years ago
For my webserver (a modified nweb). I do see POSTs from time to time. INFO: Addr:78.106.241.99:993 INFO: Date:Fri May 10 01:33:03 PDT 2013 :993 INFO: request:POST http://m.odnoklassniki.ru/dk?bk=GuestMain&st.cmd=main&tkn=3\711 HTTP/1.0Host: m.odnoklassniki.ruX-Requested-With: XMLHttpRequest*Accep\t: application/json, text/javascript, /; q=0.01Connection: closeContent-L\ength: 117Content-Type: application/x-www-form-urlencoded*:993 ... INFO: Addr:67.19.128.202:2150 INFO: Date:Tue Jun 11 16:17:59 PDT 2013 :2150 INFO: request:POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%\75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D\%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6\E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6\F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%\65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1\.1Host: X.Y.Z.QUser-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +\http://www.google.com/bot.html)Content-Type: application/x-www-form-urlencode\dConnection: CloseContent-Length: 263****:2150 That last is of course: /phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n I understand the second, I don't quite see where the .ru author is going in the first POST.	Anonymous
Reply Quote	Jul 24th 2013 5 years ago

Was just browsing my web logs again, and came across this stupid little SQL injection attempt:

GET //diary.html?storyid=3063//////////////-999.9+union+select+0-- HTTP/1.1

There were more like it. The reason I call this "stupid and simple" is that it probably didn't even work if I was vulnerable (mysql at least requires a space after the comment). So I was looking for other attempts (I found a few) but they had similar elemental mistakes, or used well known "bad" user agents that are frequently blocked (Firefox 3.5.9 ?! Really?)

So I was wondering: Why don't I see ever "better" attacks? One issue may be that web logs usually don't capture the "POST" request data. If you capture it at all, you capture it using a WAF or IDS if the request was suspect. Also, capturing full posts presents other problems. The data could be quite large, and may contain personal data that should better not be logged (usernames and passwords).

Anybody got a good way of logging "sanitized" POST requests?

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3481 Posts
ISC Handler

Hello,

Indeed, in nearly every forensic case regarding web incidents I had to approach, logging was limited to GET requests.

The 3 main reasons appear to be: Missing knowledge, laziness and memory issue (sometimes explained as performance issues).

Regards,

Marc

MarcRuef

2 Posts

Hello,
capturing POST requests can be indeed a problem if you run a website storing sensitive user information.

Another way raw request logging can be done, for Apache users, is to set up the mod_security module to log POST requests in the audit log. If you don't want to log everything, mod_security allows you to define filters for the kind of requests you want to log. As you mentioned, you may be wanting to avoid logging requests to specific pages, or those containing certain keywords (e.g, 'password'). This can be done with this extension.

If you're interested in a study that used this kind of information (logging of full raw HTTP requests) as starting point to understand how and why web attacks are carried out, you can have a look at the paper we published at NDSS this year: "Behind The Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web" (http://www.s3.eurecom.fr/docs/ndss13_canali.pdf)

Regards,

Davide

MarcRuef
1 Posts

ModSecurity (http://www.modsecurity.org/) has this functionality and at the right price too!

sanitiseArg - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseArg
sanitiseMatched - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatched
sanitiseMatchedBytes - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatchedBytes
sanitiseRequestHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseRequestHeader
sanitiseResponseHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseResponseHeader

MarcRuef
2 Posts

For my webserver (a modified nweb). I do see POSTs from time to time.
INFO: Addr:78.106.241.99:993
INFO: Date:Fri May 10 01:33:03 PDT 2013
:993
INFO: request:POST http://m.odnoklassniki.ru/dk?bk=GuestMain&st.cmd=main&tkn=3\711 HTTP/1.0**Host: m.odnoklassniki.ru**X-Requested-With: XMLHttpRequest**Accep\t: application/json, text/javascript, */*; q=0.01**Connection: close**Content-L\ength: 117**Content-Type: application/x-www-form-urlencoded****:993

...

INFO: Addr:67.19.128.202:2150
INFO: Date:Tue Jun 11 16:17:59 PDT 2013
:2150
INFO: request:POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%\75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D\%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6\E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6\F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%\65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1\.1**Host: X.Y.Z.Q**User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +\http://www.google.com/bot.html)**Content-Type: application/x-www-form-urlencode\d**Connection: Close**Content-Length: 263****:2150

That last is of course:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

I understand the second, I don't quite see where the .ru author is going in the first POST.

Anonymous