Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
hello and welcome back to the course identifying with. But thanks to logs,
00:04
I'm a go viator eating the last video we talked about injection attacks and as scary injection attacks.
00:11
In this video, we'll talk about another injection attack called file Inclusion.
00:17
Let's see the view official chiefs
00:20
The view objectives are
00:22
understand their local the remote fire attacks. And you didn't try their techs using the Web. Several logs
00:29
for us. Let's just goes a while. The fire inclusion attack, as we said before is an injection attack
00:37
is usually caused by Rome. Using put validation is coming to see the director to his vessel characters.
00:44
There are two types. Local file inclusion that access in executes the local files or Commons and remote for inclusion that access in the executes remote files or Commons
00:57
and the file inclusion is a service side attack.
01:00
Here you can see how Farley clues and works. First the loco.
01:07
Our request is sent to this ever and answered.
01:10
So oh, happens in the same server.
01:12
The remote for inclusion is a little difference.
01:15
They use the saints. The request to the Web. Seven in the Rebs Ever send the request? Another Web server
01:23
remotes ever.
01:25
That's why it's called remote. For inclusion,
01:27
you need two different service.
01:30
There is in our lab, a Web application that is vulnerable to the full inclusion, both local and remote.
01:38
For example, here on the example of local inclusion,
01:42
passable Auggie is a fire that contains all the passwords from the our users. In Allen's machine,
01:49
you can see the director to reverse of characters to change the directors.
01:53
The result is the possibility. Fire you'll be reached and displayed in the Web page.
02:00
As you can see in this picture,
02:02
pledging allies together some logs.
02:06
The first line off log is a normal request.
02:09
The second line is the director request to the best apology fire
02:15
and the website Answer is not found the 404.
02:20
So the request didn't answer.
02:23
In the third line, we have 200. As I answered, so the website ever found the pencil ready Fire.
02:30
Notice the difference between the two requests.
02:34
The next line is the same request, but included,
02:38
As you can see, it worked.
02:42
The Web server answer depressed average e file.
02:46
Since the past apogee is local, this attack is a local inclusion
02:51
in these examples, we had access to critical files.
02:54
It is also possible to execute comments on the Web server
02:59
in the stable. We have a summer off most of coma target files for each operational system.
03:05
If you want positivity it, take some notes
03:08
and now senator actions to help you identify the local fire inclusion.
03:15
Look for operational station Commons in fires,
03:19
new files
03:21
accorded the requests
03:23
and is lash on the requests.
03:25
You can go to this website and look for more examples of local find inclusion. The next is a remote. For inclusion, we will use the same lab.
03:36
The difference between the remote and local for inclusion is where the resource is located.
03:43
The remote for inclusion means to access another several fires. In our example, we relaxes Google website from our lab.
03:53
In the result, you can see that the Google search bar is loaded in the lab to every page. The remote server is a Google server,
04:01
the remote for inclusion access remote service. So maybe we're thinking I don't have access to the remote server. Can I find the remote for inclusion? Attack logs on my Web server? Yes, you confined the logs off the attack on your observer. Access or not, the Web seven is a consequence. Off the attack.
04:21
Europe's ever is the target.
04:24
That's why we will have dialogues.
04:26
Let's analyze some logs.
04:29
The first line is the requires to the funeral with Paige.
04:32
Notice that there are some luck feuds missing like user agent I. P address in there. In time,
04:40
they were removed just a space
04:42
in the second line. We have the malicious request.
04:46
Another page is access
04:47
from our reputation
04:49
in this case, the Google Web page.
04:53
Other. The logs are I will be serving, requesting the go go every page.
04:59
So
05:00
our would be seven. It's downloading the Google Web page.
05:03
That's why we have similar logs.
05:06
Most of them are pictures.
05:09
The full log off this request is bigger. Here we have a small part,
05:14
but all the requests are Simula.
05:16
You can use the same directions to identify remote in the local inclusion here sent directions more related to the remote.
05:26
Look for real the requests,
05:28
as we show in our example, request for another Web server. Like outside strike.
05:34
It's suspicious. If the server is accessing a remote server, Maybe you can see I increase in Web $7 Dr.
05:44
Here to look for recorded requests
05:46
and the user Asians
05:48
look for income a user agents are vulnerability Skinners
05:54
Post assessment question on Eliza Webb, seven below and choose the type off the attack.
06:00
You composite video if you want.
06:02
The answer is the number for remote for inclusion lesson. Now, as along together and see why
06:10
we have to i p address there in time and they requested fire
06:15
and we have to get method.
06:17
If you look the requested file, you can see there. Is there another address in the page? So we have a remote for inclusion because we are trying to access my remote. So ever hear this cyber Web page
06:32
under other fields are okay. We have the 200. That means okay,
06:38
we have the referring and they use their agents
06:42
for the next question. And that's the way we look below
06:45
it identified, which would be patient. It's vulnerable to file inclusion. Attack.
06:50
Here you have the request,
06:54
and you have a small parts off the full of fish.
06:57
But you can see the malicious request,
07:00
although if we look to the refer, we can see the reason a webpage
07:06
remember that the reefer can be crested you, but sometimes it can help.
07:13
In this case, it's possible to find the phone number. Web page. Here is the answer.
07:18
Fetus summary In this video, we learn about loco, a remote for inclusion attack,
07:25
and is it differences? We use it our lives to generate somewhere several logs
07:30
and analyzing the Web server logs. We did fight the both type of attacks
07:35
local and remote for inclusion.
07:39
We also gave some direction, she identified. It takes, like with requests
07:44
included a request user agents
07:46
request with operational season Commons or files their requests with many slashes
07:53
and so specific directions to the remote for inclusion, like the requests to the outside.
07:59
In the next view, we analyze closer description attacks,
08:03
and we will identify the attack using the Web. Several logs

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor