By: Ravi Raj
April 20, 2020
Identifying Web Attacks Through Logs
By: Ravi Raj
April 20, 2020
Have you often found yourself lost while trying to understand web logs? Well, you are not alone; most people do as it is not an easy job to interpret web logs. An Akamai Report1 from 2018 described SQLi (SQL Injection), LFI (Local File Injection) and XSS (Cross-Site Scripting) are the most common web attacks. Igor has compiled the course "Identifying Web Attacks Through Logs," intending to teach students how to interpret the web logs to prevent attacks. There are very few courses out there that teach the defensive aspects of Cyber Security following an approach of analyzing attacks through logs, which may teach learners how to configure their security devices and what to look out for identifying attacks. So, dive into the raw world of logs from web servers, and we will teach you how to interpret them.
The course is divided into two modules. Module 1 will walk through the fundamentals of weblogs, and in Module 2, we shall see weblogs from various attacks, including what measures can be taken to prevent these OWASP Top 10 attacks. The instructor does a fantastic job of teaching how the web server logs can be interpreted for various attack signatures and how they point to an attack.
The course begins with a walk-through of terms like WWW, HTML, and HTTP, which students will often hear when web servers are discussed. The course clearly illustrates how logs from commonly used web servers like Apache, Nginx, and Microsoft IIS are different from each other and what the unique identifiers are for the logs from each of these. Next, there are various HTTP status codes encountered and a fantastic explanation of the Three-Way Handshake. It is important to note that web server logs will be generated only after a successful three-way handshake. While we are trying to interpret logs from a Web server, we should be asking who, when, and what. If we are successful in answering who did the action, when the action was performed and what action was performed, we have successfully interpreted the log. The same is illustrated through the logs from various web servers. Building on the understanding of the logs, it is illustrated what an attacker can craft components of the logs. So these are few fields that might point to an attack and should be looked for identifying attacks.
Module 2 begins with what different components can be compromised in a web server-based architecture. The instructor does a fantastic job of walking through the various components of a URL and discussing the OWASP top 10 vulnerabilities as of 2017 and how it is different from the 2013 version. It is followed by a discussion of vulnerabilities and vulnerability scanners. To perform an attack, it involves detecting vulnerabilities that can be exploited later on. We need to identify when someone is trying to scan our infrastructure for vulnerabilities, as it might be the first step of the attack. We can identify a scanner by checking the response code, user agent, and the number of requests within a short interval from the web server logs it scans. The idea is to block such web scanners that are trying to identify vulnerabilities in our environment. An explanation of a brute force attack follows, which is part of A2; broken authentication. The same can be identified via the weblogs, and our security tools can be configured to detect them.
SQL injection attacks are next, which are the most commonly exploited vulnerability in web servers. The instructor does a great job of explaining via logs what indicators we shall look out to identify these. File inclusion attacks follow this. Local file inclusion and remote file inclusion attacks can be performed on the web servers. In local file inclusion attacker access and executes Local Files/Commands while in remote file inclusion attacker access and executes Remote Files/Commands. It is important to note that these are the server-side attacks. XSS – Cross-Site Scripting attacks are the next. In stored XSS, the malicious code is inserted into the web server itself, resulting in code execution on web clients each time when there is an interaction with the webserver. XSS client is taken to a different web site which may execute malicious code on the client. XSS can be blocked using IPS, identifying the appropriate attack signatures, which are explained by the instructor. Cryptomining and magecart attacks are few common attacks using the XSS. Cross-site request forgery is the next attack discussed, which exploits the trust between the web server and the client browser. It infects a client browser, which can be used later on for fraudulent activities.
Following the discussion of various OWASP top 10 attacks, SYN and HTTP flooding attacks are discussed. The instructor explains how these flooding attacks can be identified and blocked using WAF and firewalls. Finally, we will be discussing IDS and IPS devices. It is important to understand the difference in the placement of IDS and IPS devices in a production environment. Both work on the same principle, but it is often not feasible to use an IDS. Both IDS and IPS can be used to detect intrusions, but IDS can’t block attacks while IPS can.
It is important to understand the different components of web logs, as then only you can identify different types of web attacks and set up your security devices properly to detect intrusions in your environment. So enjoy the course and make those dumb web logs help identify attacks for you.
Sign Up To Learn How To Read Web Logs:
- "Summer Soti - Web Attacks"