Hello and welcome back to the course, identifying Web attacks through logs.
In the last video, we talked about cross site scripting attacks.
In this video, we will discuss cross site request forgery.
Let's start with the learning objectives.
The learning objectives are to review cross that request forgery and to identify the attacks through log analysis,
cross site request forgery exploits the trust between the Web server and the user browser.
Suppose that you access your interactive bank website.
Everything goes okay, you do whatever you need to do,
but afterwards you access a malicious website.
This malicious website will try to send a malicious command through your Web browser.
Your Web browser will execute the command.
This malicious command could be a money transfer to the Attackers account.
The user won't see the request, and
this could all happen because the bank website
trusts the user's browser.
Maybe you're thinking
cross that request. Forgery is the same thing as cross site scripting, right?
Well, even if the name is similar, the attack is different.
In cross site request Forgery,
the source of the attack does not directly connect to the Web surfer.
That's why the name is
in our lab, we have a vulnerable Web application.
In this case, the vulnerability allows for the changing of the user's password.
First, let's see the logs of a normal request.
The two first lines are the log on in the access to the Web vulnerable Web page.
The next line is the user changing the password.
We can see the clients i p address the requested file with the password change and the refer.
Also, take a look at the time.
The next log is a malicious request.
You can see the same I P address and another request to change the password.
Can you identify another difference between the two logs?
One of the differences is the password.
Another difference is the refer
here. We don't have the refer, and this new password change request happened sometime after before the first request.
how do you identify cross site request forgery?
Well, the refer is the best way to identify.
If you notice an unexpected refer,
it's a good indication that something is wrong.
Another thing is different. Behavior from the user, like changing or trying to change the password many times in a small period of time or the same actions in a small period of time.
Post assessment question.
Cross site request. Forgery attacks on Lee happen if the user browser is compromised.
Is this affirmation true
This affirmation is false.
Most of the time the attack will happen because the user connected to a malicious website.
For the next question, analyze the weblog below and identify the possible attack type.
Here you have to post methods, both trying to log into a Web page
and with more than one minute of difference between the two requests.
Also notice that the refer changes
This could be a cross site request forgery attack Using the Post request.
The source of the attack is the Web page. Little cut dogs calm.
Since this is a post request,
we can't see the user or the password sent by the malicious Web server that hosts the Little Cut Dogs Website
In this video, we discussed cross site request forgery attacks and identified the attacks by analyzing Web server logs.
For the next video, we will analyze other sources of logs like i PS logs