Investigate various Attack on Web Application in this article explain different types of web application attack which is investigate through forensic investigator .
1. Investigating Cross-Site Scripting (XSS) Attack
In XSS attack or Cross Site Scripting attack, the attacker exploits the vulnerability in the web by injecting malicious script, mostly Javascript, HTML OF CSS markup in the web pages that is displayed in the user browser. This takes place when the user clicks on the malicious link.
With the implementation of proper firewalls, IDS, IPS, antivirus, etc., it becomes difficult for the attackers to perform attacks like XSS and SQL injection and bypass the security mechanisms. To avoid this, the attackers perform obfuscation techniques mentioned below to bypass them and perform malicious activities.
- Hex Encoding: Attackers use hex values of the characters to bypass the security mechanisms.
– Normal XSS script: <script> alert (“xss”)</script>
– Hex encoded XSS script: %3cscript%3ealert (“XSS”)%3c /script%3e> - In-line comment: Attackers use inline comments in middle of attack strings to bypass security mechanisms.
Code with inline comment:
id=/*!union*/+/*!select*/+1,2,concat(/*!table_name*/)+FrOm/*!information schema*/.tables/*!WhErE*/*!TaBlE_s ChEMa*/+like+database()– - Char encoding/ double encoding: Some of the Web Application Firewalls (WAFs) decode the hex encoded input and filters it, preventing an attack, To bypass them, the attackers might double encode the input. In such cases, some WAFs may not decode the input second time, inferring that the attackers successfully bypassed the WAF.
Code with char encoding:
id=1%252fW252a*/union%252f%252a/select %252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users– - Toggle Case: Some applications block the lowercase SQL keyword In such case, attackers toggle the code to bypass them.
Some firewalls contain the Regex Filter: /union\sselect/g. So, they may filter the suspicious code written in lower case letters.
Code with toggle case:
id=1,1=1+UnIoN/**/SeLecT/**/1,2,3– - Replaced Keywords: Some application and WAFs use preg_replace to remove all SQL keywords. Hence, the attackers use the following coding technique to bypass WAFs.
((\,%2F)IV)* : Checks the forward slash for a closing tag or its hex equivalent
Code with replaced Keywords:
id=l+UNunionION+SEselectLECT+1,2,3– - White space manipulation: As explained above, when attackers replace the keywords, some WAFs may replace the keywords with white space. In such case, the attackers use “%O=0b” to eliminate the space and bypass the firewalls.
Code with white space manipulation:
id=1+uni%0bon+se%0blect+1,2,3–
Related Product : Computer Hacking Forensic Investigator | CHFI
Investigating XSS: Using Regex to Search XSS Strings
When an attacker attacks the dynamic web page, there is a chance that he may use HTML formatting tags, such as <b> for bold and <I> for italic. He may also use script tags, such as <script>alert(“OK”)</script>. Sometimes, he can use the hex equivalent of the code. For example, the hex equivalent of the <script> is %3C%73%63%72%69%70%74%3E.
Regular expression
The following regular expression is the way to detect such types of attacks. It checks the Hi–Fyn opening and closing tags <> containing the text inside so that it can easily catch the <b>, <i>, and <script> contents:
/((\%3C) I<)((\%2F) V)*[a-z0-9\%]+((\,%3E) I>)/ix Where:
((\%3C)|<) : Checks for the opening angle bracket or its hex equivalent
[a-z0-9\%]+: Checks for the string present inside the tag that may be an alphanumeric string or its hex representation
((\%3E)|>): Checks for the closing angle bracket or its hex equivalent
2. Investigating SQL Injection Attacks
The SQL injection attacks incidents can be found at three locations as mentioned below:
IDS log files
IDS logs permit the system administrators to identify any successful intrusions. The generated logs can help to identify the attack trends and patterns that assist in determining security holes where the perpetrators plan to attack the most. In addition, it also retrieves information related to any possible security holes or policy oversights, and any servers on the network that have a higher risk of being attacked.
Database server logs files
These log files record each message that is stored in the database and enables fault acceptance in case the database needs to be restored.
Web server logs files
Web server log help in understanding how and when the website pages and applications , along with other related information, such as which pages are being accessed, by whom and when. Each web server generates log files that keep a record of the information regarding access to a specific HTML page or graphic.
The attack signature may look like this in the log file:
12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah” or 1=1 — 12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah” or )1=1 (– 12:34:35 192.2.3.4 HEAD GET /login.asp?username=blah” or exec master..xp_cmdshell ‘net user test testpass —
3. Investigating SQL Injection Attacks (Cont’d)
Use specific regular expressions to detect the SQL Injection attacks. The administrators need to write expressions in such a way that they can identify all kinds of meta-data used in an SQL query like a semi-colon, double —dash, single-quote, double minus sign, etc., as well as their hex equivalents, Use these regular expressions to frame snort signatures and rules to detect SQL injection attacks. Snort rules with different regular expressions are used to detect SQL injection attacks on the web application.
4. Pen-Testing CSRF Validation Fields
Pen-Testing CSRF Validation Fields before filing the form is necessary to confirm the form validation before reaching the server. The above slide explains the process of Pen-testing of a form.
Also Read : Web Attack Investigation On Windows based Servers
5. Investigating Code Injection Attack
The executable instruction detector from the intrusion detection system and the series of sandbox execution environments that match the monitored application environments of the operating systems in the network are used for detecting the code injection attack. When the IDS find the series of executable instructions in the network traffic, it transfers those related packets’ payloads to the execution environment matched with the packet’s destination. The proper execution environment is determined with the help of the destination’s IP address of incoming packets.
After that, the packet payload gets executed in the matching monitored environment, and the result of the payload’s OS resource usage is passed to the IDS. If the report consists of evidence of the resource’s usage, then the IDS alerts the user regarding the incoming packet that contains the malicious data. In this way, the investigator can detect the code injection attack that will lead to the perpetrator.
6. Investigating Cookie Poisoning Attack
The detection of a cookie poisoning attack includes intrusion prevention products. These products trace the cookie’s “set” command given by the web server. For every set command, these products store information such as cookie name, cookie value, IP address, and the session to which the cookie was assigned. It also stores the assigned time.
After this, the IPS catches every HTTP request sent to the web server, removes the information from it, and compares it with all the stored cookies. If the attacker changes the cookie’s contents, then the IPS detects this changed information on a particular user and determines an attack has occurred. The investigator can view the IPS alerts regarding the Cookie Poisoning Attack to find the attacker.
Questions related to this topic
- What are Investigate various Attack on Web Application?
- What are the common threats in a web application?
- What are the strategies to secure Web applications?
- Where do hackers typically find information?
- How to Investigate various Attack on Web Application?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
