Hello, everyone, and welcome back to the course. Identifying Web attacks through logs
After our brief review of Web application architecture, er, let's now talk about http and TCP
first, consider this affirmation.
One of the differences between TCP and UDP is that TCP establishes a connection through a process called a three way handshake.
Is this affirmation true or false?
This affirmation is true.
The three way handshake is the process that TCP uses to establish the connection between the client and the server.
UDP does not do this. It only sends the packets.
That's why TCP is called connection oriented and UDP is connection lists.
Later, we will talk about the impact of TCP to a handshake in the log. Analysis.
Let's start talking about learning objectives
in this video. The learning objectives are a brief review of http, followed by our view of the I P and TCP model. After I'll present our infrastructure lab.
Let's start talking about http
http. Means hypertext transfer protocol.
Here's the definition of what a protocol is.
A protocol is a set of rules to allow communication.
The set of rules is defined in RFC. You can check it in this Web page.
As we said before with http, the clients will send questions to the server. The server will then answer
the http is how the clients and server talk
two things are really important to know.
http methods are sent by the clients, and they tell the Web server what the clients want to do.
The second one is the status code.
The status code is a way in which Web servers tell clients what the server did with the request.
the browser will send a get and it goes through a network.
The Web server receives it and answers back With a status code,
the Web client will get the answer and show you the page.
The method is like a comment
http Status code is a result of this comment.
So what are these http methods
Here is a table of methods. The most commonly used are get and post methods
get request results like a file image or some other resource.
Post send something to the Web server like user names or passwords.
RFC classifies the methods with some properties.
One of these properties is if the method is safe,
a safe method is one that is read. Only.
The methods should not change anything on the Web server,
However, as we, as we have seen in this course,
get could be used to perform attacks like brute force attacks or http floods.
Other properties can be found in Section 4.2 of the RFC.
Now the status code.
The status code will tell us how the Web server processes the client requests.
The most common codes are inside. Five families of code
the one hundreds. These are informational codes
to hundreds are codes for successful operations,
300 mean re directions.
Four hundreds mean client error. IE. The client performed an incorrect request,
and the 500 indicate a server error. The Web server could not answer the request because of an error.
This can be caused by attacks, mis configuration or overload.
In this slide, I will review the most common status codes.
It's important to know some of them.
the 200 means. Okay,
this means that the Web server answered and the client would get the answer.
302 is the most common for re directions.
This happens when 11 Web page sends you to another.
after you put in your user name and password, the Web application could send you to another Web. Page
404 occurs when the Web server doesn't find the requested resource. It could be a typing error from the user. Wrong Web page called in the Code or someone trying to find information.
You can check all the codes in the RFC
after this brief review of http. Let's talk about T c p I, P
http is an application protocol like DNS or SMTP.
Since http is an application protocol, it uses the application layer, and it is located at the top of both the OS I and T C P I. P. Models.
Http uses lower layers to reach a destination like clients and servers.
http uses TCP poor 80
80 80 are possible as well.
If you see an s after http, the s stands for secure.
It means that the http is transferred encrypted.
The most common port to https is 443
Like http, it's possible to see the https running in a lot of TCP ports.
why should we care about t c p i p if the web server and clients and use http
to clarify. Here we have a package capture for a communication between a client and a Web server.
The first three lines are the TCP I p communication, the three way handshake.
The TCP I P communication is handled by the Web server operational system.
The http doesn't care about
if a client is a Web browser, it will say to the operational system that a three way handshake will occur and the operational system will reach out to the Web browser saying, Hey, we're connected with the server.
You can use this connection to send your http information.
Then the next line is the http request here again,
this means that http and https communications Onley start after the TCP three way handshake.
The Web server will only log the http or https requests
for this communication. The Web server will only show one logline
Here are the two apologies that we will use during our course.
We have an attacker machine in a vulnerable Web application.
The Web application is the a WASP broken web application project application
between the attacker and the application, there is a firewall.
Everything here is virtual.
The process will be that we will use the attack our machine to attack the web application.
After the attack, you start the logs, you analyze them to identify the attack.
We also have a Web server on the Internet To get some real locks.
Thes longs will be used as an example.
length Web server status code on the left with its description on the right
Here you have the answers.
Just to remember the 200 means success or okay,
for the next question, consider this scenario.
You are a stock analyst
and someone shows to you a package capture a package capture below.
Suppose that you need the Web server locks.
How many lines will you have in the Web server log for this communication
A two lines. Be four lines. See one line or D zero lines.
The answer is letter C one line.
As we said before the http communication starts after the three way handshake,
we only have one http request.
What that means is that we only have one logline
in this video we talked about http and two important components.
Http methods sent by the clients to the Web server and http status code sent from the Web server to the clients as the answer.
we reviewed a little TCP I p Protocol and how it's related to http.
we will talk about logs and their importance.
We will identify key information in the Web server logs
after we will do some analysis on the most common Web server software logs like Apache and G. I X and Microsoft I I. S