Web Application Attacks Review

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 5 minutes
Difficulty
Beginner
CEU/CPE
3
Video Transcription
00:01
Hello, everyone, and welcome back to the course. Identifying Web attacks through locks
00:07
In the last video, we talked about log analysis and its challenges.
00:11
We also finished our reviews
00:13
in the previous module. We talked about important things related to Web applications and log analysis.
00:19
This module, beam or hands on
00:22
will perform some Web applications attacks and then do the log analysis.
00:27
To start, we'll talk about Web application attacks.
00:30
As such,
00:31
learning objective of this video is understanding the differences between infrastructure and application attacks.
00:37
Introducing the OAS Top 10 project,
00:40
reviewing some common Web application attacks and understanding the components.
00:45
Let's begin
00:46
first, let's remember some Web application components.
00:50
Do you remember when we talked about T. C, P I, p and http? And I said that http uses TCP I P to communicate
00:58
for Web applications toe work? They need a lot of components. Let's check some of them
01:02
in the top layer. We have the Web application.
01:04
PHP and http are related to this letter
01:08
after we talked about the Web server that holds the application.
01:12
Web server software like Apache and enjoy X are in this layer.
01:17
There are two components they need to run in some place. This place is a server, but it could also be a personal system
01:23
like Microsoft Windows or Linux.
01:26
This is also true for virtual machines.
01:29
We can also add database servers and application servers to this layer.
01:34
In the last layer. We have the network hardware and services that make the communications possible.
01:40
However,
01:41
this is only one way to understand the Web applications and their components.
01:45
It's important to know that each component can be attacked.
01:49
And since web applications depend on all these components, an attack on any layer can affect the entire Web application
01:56
the three layers under the Web application. Our infrastructure
01:59
in this course will focus on the top layer.
02:01
The Web application attacks.
02:04
This is a typical infrastructure, which would support a Web application.
02:07
Another design is possible, but it won't be so different from this
02:12
toe. Access our page. The user will send a request to the Web server,
02:15
and the Web server will access the other components.
02:19
That means that all this infrastructure can help with logs. And again, if we have more logs, we have more information. During an investigation,
02:28
you have the same Web application and the same infrastructure.
02:31
How do you think you could identify malicious user and an attack
02:36
toe? Identify and attack? You need to know about the attack and the Web server logs will help you to identify the attack.
02:44
As we said before
02:45
the Web applications, our client server oriented.
02:47
Based on this model, we can classify Web applications attacks in two types.
02:53
Client server side
02:54
that usually explores a vulnerability and uses an end point where it's located. I e. The Web client.
03:00
The second classifications is server side attacks.
03:04
In this case, the target is the server
03:07
in this course will focus on server side attacks.
03:09
Since the Web server is a target,
03:12
we can use its logs to identify the attack.
03:15
To talk about attacks, we need to talk about vulnerabilities.
03:21
One definition of a vulnerability is from Mist, which says that a vulnerability is a weakness in an information system
03:28
system. Security procedures, internal controls or implementation that could be exploited or triggered by a threat. Source
03:36
in our course will change information systems for Web applications.
03:39
The attacker is someone who tries to exploit the vulnerability, and all the vulnerable things are the attack surface
03:46
Here's some more definitions.
03:49
Risk the possibility of something bad happening.
03:52
Target for US
03:53
Web servers and Web applications and attacks, which are basically any action that someone is performing, trying to exploit the vulnerability or not to cause any impact on the Web application.
04:06
We are talking about attacks, but
04:09
do you know what the most common Web application attacks are?
04:13
Toe? Answer this question. We'll use our definition from the last few slides.
04:16
Based on that definition, we need a vulnerability to have an attack,
04:21
so it's actually better toe. Ask
04:25
what are the most common vulnerabilities
04:28
to answer This question will use Theo Wasp Top 10 Project
04:31
a WASP, which means open Web application. Security Project
04:35
is a project that catalyze is that catalogs the top 10 vulnerabilities for Web applications.
04:43
In this course,
04:44
we'll use a virgin. Launched in 2017.
04:46
The first version is from 2000 and three.
04:49
Check the O Wasp website. If you want more information
04:55
here, we have the comparison between 2013 and 2017 projects.
04:59
In this course, we'll use examples of some attacks like injection, broken authentication, security, Miss configuration, cross site scripting, using components with vulnerabilities and the last one, which is not an attack, but it's still related to our course
05:15
to talk about Web attacks. We need to understand that you are all components.
05:19
U R L stands for
05:21
Uniform Resource Locator.
05:25
It's a type of universe. Universal resource Identify
05:28
User agents used the U R L to request information from the Web server.
05:32
Each Web application has one resource locator, which makes it possible for our Web server to host main applications.
05:40
U R L is also known as a Web address
05:43
and has multiple parts
05:45
now to understand its components.
05:49
A scheme that identifies the protocol host or domain that could be followed or not by a port path that identifies the resource they want to access
05:58
and the query that's used to pass some information.
06:00
If we look at the cyber E log in page, we confined the components.
06:04
A scheme or protocol in this case is https.
06:09
Www dot cyber ET is the host or domain.
06:14
You can see here that we don't have support information.
06:16
It will use the 443 because of the https scheme.
06:21
After the slashes, the path and after the question mark is the query
06:26
it's important to know that most of the attacks are performed in the path or in the query components.
06:31
If you want to know more about this, check these two websites.
06:38
Another important thing is encoding.
06:40
You are else can only be sent over the network using the asking character set
06:45
to respect this rule. Some of the characters need to be encoded in asking
06:48
the encoding words change the unsupported character for a percent, followed by two numbers.
06:55
The two numbers are the Hexi decimal digits of the encoded character.
06:58
For example, the space isn't converted 2% 20
07:01
like in this example.
07:03
Another use is to convert different right systems that don't use layering choice, like Arabic or Chinese.
07:10
Also, encoding is used to perform attacks, although a percent in the request doesn't mean that this is a malicious request.
07:16
Percent is used in both good and bad actions.
07:20
For example,
07:21
this cyber a request has multiple percent signs,
07:25
but it's safe
07:28
to make things more clear. Let's look at this request.
07:30
We have this big request here with many percent signs.
07:34
If you know about SQL, you'll also notice some SQL words like select Where and others
07:41
could you find those words?
07:43
It's hard to find right.
07:45
There are many percent signs, and to help with finding those words, we can decode it.
07:48
There are many sites that can help with the coding.
07:51
After the decode, we'll be able to find out what it really means.
07:57
Now. It's easy to see the SQL words in the rial request.
08:01
In this course, you'll learn that this particular request is an SQL injection attack.
08:05
And then one more thing.
08:07
A typical user will make many requests throughout this one page.
08:13
This means that the user role will request different paths and different queries.
08:16
Here's an example of one user requesting one website.
08:20
One access generated three lines of logs.
08:24
Other requests are from the same IP address, the same date in time. But
08:28
all are different requests.
08:31
It's common behavior in modern Web pages to have many requests throughout a single Web page.
08:35
Knowing your Web application will help you to identify this behavior.
08:39
Post assessment question. Is this information true or false?
08:43
Considering a basic Web infrastructure,
08:46
Onley Web servers are susceptible to attacks.
08:48
This information is false.
08:50
Remember, Web applications depend on many components, and all of them could be targets.
08:54
Next question.
08:56
Which of these vulnerabilities are present in the 2017? A. WASP Top 10 projects?
09:03
The answer is Injection and security. Miss Configuration.
09:07
The other options are related to infrastructure attacks.
09:09
For the last question, check this information
09:13
Web request with a percent sign on it. Are malicious.
09:18
Is it true or false?
09:20
This information is false.
09:22
Ah, percent sign is not always malicious.
09:24
It could be used to transfer to a different right system or to use unsupported characters.
09:30
Video Summary
09:31
In this lesson, we talked about the differences between Web application and infrastructure attacks based on a layer approach.
09:37
The definition of an attack and vulnerability.
09:39
Theo WASP Top 10 projects
09:41
and we also reviewed. You are all components and you are Ellen coding.
09:46
In the next video, we'll begin our log analysis,
09:50
starting with vulnerability skins.
Up Next
Identifying Web Attacks Through Logs

This course will review web application infrastructure, web servers, and the logs associated with them. We will also simulate 10 attack scenarios and identify the attack through logs that are generated by the web server.

Instructed By