Web Attack Investigation Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

17 hours 41 minutes
Video Transcription
Hey, everyone, welcome back to the course. So in the last video, we wrapped up our discussion on network forensics.
In this video, we're gonna talk about Web application forensics.
So just a quick pre assessment question here. Ah, buffer, overflow Attack as an unintentional leakage of sensitive information. Is that true or false?
All right, so that's actually false. The actual answer here will be information leakage. Now, Buffer overflow basically is used to write, try to write at least code to my Jason memory locations to then allow the attacker to pass some type of malicious code.
So the web application architecture,
We basically have our client, our web server. So the clients like us. You know, we're trying to surf the Web, go to Google or something like that. And so we're sending that request to the Web server. Then we also have the business and database layers. Well, eh, So, for example, we got the client. You know, that's gonna be us with Web browser, you know? So, using
plug ins, like, you know, silver lied Java script, you know, flash to some extent, even though that's been
disable the most browsers, you know? So we're doing that through, like, our smartphone, Our computer, You know, going through the web that way. Then we move into the Web server layer where, you know, we got the presentation layer inside of there. So that's things, you know, like you didn't like, maybe a proxy server. You know, your Web cache
server container, your authentication, your log in
things like that again, these air just in general. Things you want to just remember for the exam,
your business layer. So using things like C++ or dot net, um,
even legacy applications and then the database, Claire, things like your cloud service is your actual database and those sorts of things.
So whether application forensics. So where can we get information from? Well, you know, we could get this from our needs are hid. So again, network traffic, our network intrusion detection system or our host intrusion detection system. Depending it, you know, it could be on our server. Could be on a workstation. I'm getting information from the browser cookies. Right.
Um, even just other areas of the servers as well,
so challenges, so possibly we don't have logs. Generally, inadequate logs is gonna be our main challenge. there. Um, we may not be getting information from intrusion detection or intrusion prevention systems. It's possible that even organizations
you don't see too much nowadays. But it's possible that you have organizations not even using
an intrusion detection or intrusion prevention system in any capacity and then also training. Right. So we've got to make sure that our network administrator actually knows to leave the logs alone, leave the system alone, let us come in first and get an image of that system with a lot of times they want to take it off line or you turn it off
s. So we just want to make sure we have them trained up so we can actually get the information that we need Is a forensic investigator
so different indications of Web attack, obviously with, like, a de dos the number of incoming request, right? Like all of a sudden, you have four million requests coming in, whereas you know you normally have, like, 100 people come into your Web site.
We could find some information in the http request head or so if the Attackers using some common tools like sequel map or nets Parker, that might leave some fragmented data in there that we can harvest Also fingerprinting. So if we could recognize fingerprints
that are from previous attacks, you know, like even even not our organization. But other attacks as well
that happened on. And that's where we want to keep our eye. I ps and I. D s up to date because a lot of times they will be used file signatures so it can help us prevent against a lot of different attacks. And then also the geography, right? So if all the Web traffic normally comes from like the U. S. And then all of a sudden we're getting a lot of traffic from North Korea,
that could be an indication that that's an attack.
So this feel we just kind of went over Web application forensics at a high level,
And the next video we're gonna jump into the old lost top 10
Up Next