2 hours 5 minutes
Hello, everyone, and welcome back to the course. Identifying Web attacks through locks
In the last video, we talked about log analysis and its challenges.
We also finished our reviews
in the previous module. We talked about important things related to Web applications and log analysis.
This module, beam or hands on
will perform some Web applications attacks and then do the log analysis.
To start, we'll talk about Web application attacks.
learning objective of this video is understanding the differences between infrastructure and application attacks.
Introducing the OAS Top 10 project,
reviewing some common Web application attacks and understanding the components.
first, let's remember some Web application components.
Do you remember when we talked about T. C, P I, p and http? And I said that http uses TCP I P to communicate
for Web applications toe work? They need a lot of components. Let's check some of them
in the top layer. We have the Web application.
PHP and http are related to this letter
after we talked about the Web server that holds the application.
Web server software like Apache and enjoy X are in this layer.
There are two components they need to run in some place. This place is a server, but it could also be a personal system
like Microsoft Windows or Linux.
This is also true for virtual machines.
We can also add database servers and application servers to this layer.
In the last layer. We have the network hardware and services that make the communications possible.
this is only one way to understand the Web applications and their components.
It's important to know that each component can be attacked.
And since web applications depend on all these components, an attack on any layer can affect the entire Web application
the three layers under the Web application. Our infrastructure
in this course will focus on the top layer.
The Web application attacks.
This is a typical infrastructure, which would support a Web application.
Another design is possible, but it won't be so different from this
toe. Access our page. The user will send a request to the Web server,
and the Web server will access the other components.
That means that all this infrastructure can help with logs. And again, if we have more logs, we have more information. During an investigation,
you have the same Web application and the same infrastructure.
How do you think you could identify malicious user and an attack
toe? Identify and attack? You need to know about the attack and the Web server logs will help you to identify the attack.
As we said before
the Web applications, our client server oriented.
Based on this model, we can classify Web applications attacks in two types.
Client server side
that usually explores a vulnerability and uses an end point where it's located. I e. The Web client.
The second classifications is server side attacks.
In this case, the target is the server
in this course will focus on server side attacks.
Since the Web server is a target,
we can use its logs to identify the attack.
To talk about attacks, we need to talk about vulnerabilities.
One definition of a vulnerability is from Mist, which says that a vulnerability is a weakness in an information system
system. Security procedures, internal controls or implementation that could be exploited or triggered by a threat. Source
in our course will change information systems for Web applications.
The attacker is someone who tries to exploit the vulnerability, and all the vulnerable things are the attack surface
Here's some more definitions.
Risk the possibility of something bad happening.
Target for US
Web servers and Web applications and attacks, which are basically any action that someone is performing, trying to exploit the vulnerability or not to cause any impact on the Web application.
We are talking about attacks, but
do you know what the most common Web application attacks are?
Toe? Answer this question. We'll use our definition from the last few slides.
Based on that definition, we need a vulnerability to have an attack,
so it's actually better toe. Ask
what are the most common vulnerabilities
to answer This question will use Theo Wasp Top 10 Project
a WASP, which means open Web application. Security Project
is a project that catalyze is that catalogs the top 10 vulnerabilities for Web applications.
In this course,
we'll use a virgin. Launched in 2017.
The first version is from 2000 and three.
Check the O Wasp website. If you want more information
here, we have the comparison between 2013 and 2017 projects.
In this course, we'll use examples of some attacks like injection, broken authentication, security, Miss configuration, cross site scripting, using components with vulnerabilities and the last one, which is not an attack, but it's still related to our course
to talk about Web attacks. We need to understand that you are all components.
U R L stands for
Uniform Resource Locator.
It's a type of universe. Universal resource Identify
User agents used the U R L to request information from the Web server.
Each Web application has one resource locator, which makes it possible for our Web server to host main applications.
U R L is also known as a Web address
and has multiple parts
now to understand its components.
A scheme that identifies the protocol host or domain that could be followed or not by a port path that identifies the resource they want to access
and the query that's used to pass some information.
If we look at the cyber E log in page, we confined the components.
A scheme or protocol in this case is https.
Www dot cyber ET is the host or domain.
You can see here that we don't have support information.
It will use the 443 because of the https scheme.
After the slashes, the path and after the question mark is the query
it's important to know that most of the attacks are performed in the path or in the query components.
If you want to know more about this, check these two websites.
Another important thing is encoding.
You are else can only be sent over the network using the asking character set
to respect this rule. Some of the characters need to be encoded in asking
the encoding words change the unsupported character for a percent, followed by two numbers.
The two numbers are the Hexi decimal digits of the encoded character.
For example, the space isn't converted 2% 20
like in this example.
Another use is to convert different right systems that don't use layering choice, like Arabic or Chinese.
Also, encoding is used to perform attacks, although a percent in the request doesn't mean that this is a malicious request.
Percent is used in both good and bad actions.
this cyber a request has multiple percent signs,
but it's safe
to make things more clear. Let's look at this request.
We have this big request here with many percent signs.
If you know about SQL, you'll also notice some SQL words like select Where and others
could you find those words?
It's hard to find right.
There are many percent signs, and to help with finding those words, we can decode it.
There are many sites that can help with the coding.
After the decode, we'll be able to find out what it really means.
Now. It's easy to see the SQL words in the rial request.
In this course, you'll learn that this particular request is an SQL injection attack.
And then one more thing.
A typical user will make many requests throughout this one page.
This means that the user role will request different paths and different queries.
Here's an example of one user requesting one website.
One access generated three lines of logs.
Other requests are from the same IP address, the same date in time. But
all are different requests.
It's common behavior in modern Web pages to have many requests throughout a single Web page.
Knowing your Web application will help you to identify this behavior.
Post assessment question. Is this information true or false?
Considering a basic Web infrastructure,
Onley Web servers are susceptible to attacks.
This information is false.
Remember, Web applications depend on many components, and all of them could be targets.
Which of these vulnerabilities are present in the 2017? A. WASP Top 10 projects?
The answer is Injection and security. Miss Configuration.
The other options are related to infrastructure attacks.
For the last question, check this information
Web request with a percent sign on it. Are malicious.
Is it true or false?
This information is false.
Ah, percent sign is not always malicious.
It could be used to transfer to a different right system or to use unsupported characters.
In this lesson, we talked about the differences between Web application and infrastructure attacks based on a layer approach.
The definition of an attack and vulnerability.
Theo WASP Top 10 projects
and we also reviewed. You are all components and you are Ellen coding.
In the next video, we'll begin our log analysis,
starting with vulnerability skins.