Time
2 hours 19 minutes
Difficulty
Beginner
CEU/CPE
3

Video Transcription

00:00
Hello, everyone. Welcome back to the course. Good for me. But thanks through logs in the last video, we talked about brute force attacks Amigo Vieira. And this is the model. Too absurd for in this video we start talking about injection attacks.
00:15
The first injection attack will be SQL injection
00:19
to start. Let's check the video Project Chiefs
00:22
first, a brief introduction off injection attacks.
00:26
After this, we will review SQL or secret injection attacks
00:31
followed by webs every log analysis to identify their scare injection attacks.
00:37
Injection attacks are related to a wasp talk. A one in 2007 is the top from that ability.
00:44
The jets are so common that you know what's 2010? In 2013 it waas the top from their ability to
00:52
here the injection definition from over
00:56
injection attacks. Of course, when they sent requests contain some unexpected data and this data is executed by the Web server. Remember that the Web server doesn't care about the requests
01:08
And if the request is malicious,
01:11
the Web server you process it.
01:14
Ask your rejection is one type of injection attack. There are many other injection attacks
01:19
here. Alicia Awesome
01:22
SQL injection, file injection and others. In this video, we'll talk about escape rejection
01:29
because off the multilayer Web applications stature, the Clyde should only access the Web server
01:36
in the SQL injection attack. The client saying the request to the Web server. But they will be serving. You send the request to the database
01:44
and the database. You process it.
01:47
The penny only requires the database case accused, inspected Commons and this Commons came back to database server impacting the Web application.
01:57
SQL injection is considered a critical vulnerability.
02:01
It affects directly the database server.
02:04
Here we have a strip off unknown joke about that scare injection
02:08
here. The fact waas
02:10
closing all the database office students.
02:14
This could be for,
02:15
but if this happens in a production environment, the consequence could be trashed.
02:20
So let's talk about SQL injection
02:23
here. Some considerations about SQL injection Tex
02:28
it need to use sq are the database one processes.
02:32
Usually it's caused by wrong user input validation,
02:37
like allowing special characters in the form
02:39
it is. Old Attic is no scenes 99 eighties.
02:44
It's also more common
02:46
on Lagos applications.
02:47
It is a service side attack,
02:50
and it has some types like Blind Klasky Union, based in Air Base.
02:58
In our lab, there is a Web application vulnerable to escape orange actual tax.
03:04
It is simple. It's just a form with only one text books to put. They use a Reggie
03:10
if we tried the number one.
03:13
We have the Jimmy years of information
03:15
Here. You have the request, Major, the Web server. It is a simple request.
03:21
You can see that the I G has the number one
03:25
the ADM e i d.
03:27
So they formation about the ad Me it's shown.
03:30
But
03:31
if we do not say a number, what will happen?
03:35
This is an example off a malicious requests
03:38
to summarize this user I d requests you say to the database.
03:44
I want other user orgies that are it goes to a r one equals one
03:50
one equals one is always true. So the database you sent all the user names.
03:55
This is a result off the requests Oh, user names and information about the user names. So maybe we're thinking
04:04
Kindy Web server logs You didn't find escape rejection attacks.
04:09
Let's analyze the both requests Web server logs.
04:13
The force is the I D number one request
04:15
and the second logline is a malicious request.
04:19
Notices that whatever your boot in there user i g you'll be sent to the Web server and to the database server are not important thing is that this request is encoded.
04:31
And after decoding, we'll see the same request that we use it
04:38
because off the scale is that you see encoded requests during a scare injection attacks
04:44
is important to note is that the IBIs ever answered the both requests, and this includes the malicious request.
04:51
Depending on your application, it means they're your application is vulnerable to the SQL injection.
04:59
Let's analyze this real love lines.
05:00
These lines were generated by Eskil Mato Eskil. Map is a well know to. To perform in a very scans are to perform s Kevin Jackson
05:12
Many of different abilities cans, cans, acute SQL injections. So during different are beauties cans, it's possible to see escape of injections
05:21
and the penny on the pulse off your company. You can classify that as a vulnerability scan are as I ask you, Jack contact again. The user agent can help you. He didn't find that
05:34
analyzing the logs. You should see s care related words are Commons like End Select case when union and others
05:46
and I always check the response off. The Web server on the previews is wide. The answer. Waas 200. So the Web server insert the request.
05:56
In this re line off logs, we have the 300 to the right direction.
06:00
Sometimes you need to correlate. Martin won the logline.
06:03
You understand all that
06:05
as information here. The same three lines off logs, but now decoded.
06:12
If you do not know about sq, have comments, you can ask to your database that he means and asked to them if this common is militias are impact. The database server.
06:24
Next is like we're on allies to more log lines,
06:27
and here they are again. We use of the SQL map, but we change it. The user Asians
06:33
you can notice included requests and many a scare words.
06:39
In the second log line, you have the wear, and there's a common
06:44
taking a better look. You can find more Commons in words,
06:47
but, well, a ritual in its operational system
06:50
like get in past apogee
06:54
and in this is live the decoded requests one more question.
06:59
What about the Post requests
07:01
to analyze the post requests, you need more logs from other sources.
07:05
Good source is a pact capture. For example, this is a website. Dialogue for a Post requests the Web. Seven. Log on Lee shows the Post request to the logging page. There is no information about the request,
07:20
but in the package capture, you can see they should be requests.
07:26
And all the form data that was sent
07:29
notices that this request a similar to our examples. How, though, is not that easy. Get a package capture, but if possible, try to ask for them
07:41
to summarize how to identify desk a rejection.
07:45
First, they're scaled Commons like from select where and others look for included requests.
07:54
Also, remember to look for user's agents and operational system related Commons awards.
08:01
Now let's do some post assessment questions to proxy.
08:05
In the first question on ELISA, Log below and identify the Web application attack after choose the option with the correct attack,
08:13
you can pause the video if you want.
08:16
This isn't you see that this log is big
08:20
and contains a lot off, including
08:22
in objection is that you find the escaped words like select and
08:28
count in others.
08:31
So this is our escape rejection attack.
08:33
As information, the decoded the request showing desk your requests.
08:39
Now check this information
08:41
Web. Several logs We always show on formation about user actions. Is this information true or false?
08:50
There's a few missions force.
08:52
If there were application uses posed.
08:54
If the Web server logging configuration is wrong,
08:58
maybe the law cannot help you.
09:01
If this happened, you need to ask for the right configuration.
09:05
Are for the other logs
09:07
very summery.
09:09
In this video, we talked about type of ejector attacks
09:15
SQL injection on tax,
09:16
70 reactions to then try that scare injection attacks on the Web. Several logs like SQL Commons encoded requests, User agent and Operational System Commons
09:30
and after we showed the difference between post and get requests
09:35
showing an example off a package capture where SQL injection attack.
09:41
In the next video, we'll keep talking about injection attacks.
09:45
We'll discuss about finish action are for inclusion
09:48
entity to types off inclusion loco and remote file inclusion

Up Next

Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By

Instructor Profile Image
Igor Vieira
Information Security Analyst
Instructor