%27 is URL encoded form of a Single Quote.įor administration purposes, we can also perform query monitoring to see which queries are executed on the database. The following screenshot shows the access log entry where a single quote is passed to check for SQL Injection in the parameter "user". Identifying a traditional SQL Injection is as easy as appending a single quote to the URL parameter and breaking the query.Īnything that we pass can be logged in the server, and it is possible to trace back. Most of the people who get started with web application security start their learning with SQL Injection. It is a known fact that SQL Injection is one of the most common vulnerabilities in web applications. We can go further ahead and also see file types and the time stamps if anything looks suspicious. This is where we have to act smart and see if the files being accessed are regular files or if they are looking unusual. In many cases, attackers rename them to avoid suspicion. It doesn't always need to be the scenario that the web shell being uploaded is given its original name when uploading it onto the server. Looking at the response code "200", this line is an indicator that someone has uploaded a web shell and is accessing it from the web server. "b374k" is a popular web shell and hence this file is purely suspicious. If we clearly observe, there is a file named "b374k.php" being accessed. I have applied a filter on the column that is specifying the file being accessed by the client. The following screenshot shows the same access.log file opened in Microsoft Excel. In some instances, we can gain access to all the other sites hosted on the same server using web shells. Web shells give complete control of the server. Web shells are another problem for websites/servers. This comes handy when we don't have a log-parsing tool.Īside from these keywords, it is highly important to have basic knowledge of HTTP status codes during an analysis.īelow is the table that shows high-level information about HTTP status codes. We can open the log file using Excel by specifying "space" as a delimiter. Microsoft Excel is also a great tool to open the log file and analyze the logs. So, looking at such requests in the logs, we can determine what's going on. Automated scanners are noisy and they use vendor-specific payloads when testing an application.įor example, IBM appscan uses the word "appscan" in many payloads. In many cases, it is easy to recognize if the logs are sent from an automated scanner. These requests are generated from an automated tool. In the following figure, we are searching for requests that try to read "/etc/passwd", which is obviously a Local File Inclusion attempt.Īs shown in the above screenshot, we have many requests trying for LFI, and these are sent from the IP address 127.0.0.1. Similarly, we can search for specific requests when we have the keywords with us. It is obvious that someone with the IP address 192.168.56.105 has attempted SQL Injection. In the following figure, we are trying to search for all the requests that have the keyword "union" in the URL.įrom the figure above, we can see the query " union select 1,2,3,4,5" in the URL. In cases of logs with a smaller size, or if we are looking for a specific keyword, then we can spend some time observing the logs manually using things like grep expressions. In the next section, we will see how we can analyze the Apache server's access logs to figure out if there are any attacks being attempted on the website. We also need to analyze the logs for proper results. Logging is just a process of storing the logs in the server. The default location of Apache server logs on Debian systems is It is always recommended to maintain logs on a webserver for various obvious reasons. Now let us see various cases in analyzing the logs. With the above setup, I have scanned the URL of this vulnerable application using few automated tools (ZAP, w3af) available in Kali Linux. I have developed a vulnerable web application using PHP and hosted it in the above mentioned Apache-MySQL. This can be started using the following command:Ī vulnerable web application built using PHP-MySQL This article covers the basic concepts of log analysis to provide solutions to the above-mentioned scenarios.įor demo purposes, I have the following setup. People who are just beginning with hacking/penetration testing must understand why they should not test/scan websites without prior permission. Apart from this, there are other scenarios as well.įor an administrator, it is really important to understand how to analyze the logs from a security standpoint.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |