WEBVTT

00:00.000 --> 00:02.895
>> Hello everyone and
welcome back to the course,

00:02.895 --> 00:05.340
identifying web
attacks through logs.

00:05.340 --> 00:08.820
In the last video, we talked
about brute force attacks.

00:08.820 --> 00:11.100
This is Module 2, episode 4.

00:11.100 --> 00:12.810
In this video, we'll start

00:12.810 --> 00:15.195
talking about injection attacks.

00:15.195 --> 00:18.390
The first injection attack
will be SQL injections.

00:18.390 --> 00:21.195
To start, let's check
the video objectives.

00:21.195 --> 00:24.540
First, a brief introduction
of injection attacks.

00:24.540 --> 00:27.510
After that, we'll
review SQL attacks,

00:27.510 --> 00:29.550
SQL injection attacks,

00:29.550 --> 00:31.830
followed by performing
web analysis to

00:31.830 --> 00:35.160
identify SQL injection attacks.

00:35.160 --> 00:39.795
Injection attacks are
related to OWASP talk A1.

00:39.795 --> 00:43.200
In 2007, it was a
top vulnerability.

00:43.200 --> 00:46.680
Injections are so common
that OWASP classified it

00:46.680 --> 00:51.239
>> as a top vulnerability
in 2010 and 2013 as well.

00:51.239 --> 00:54.075
>> Here's the
definition from OWASP.

00:54.075 --> 00:55.860
Injection attacks occur when

00:55.860 --> 00:58.770
the central request contains
some unexpected data,

00:58.770 --> 01:02.170
and this data is executed
by the web server.

01:02.240 --> 01:05.700
Remember, the web
server doesn't care

01:05.700 --> 01:06.839
>> about the request.

01:06.839 --> 01:08.595
>> If the request is malicious,

01:08.595 --> 01:11.070
the web server will
still process it.

01:11.070 --> 01:13.725
SQL injection is one type
of injection attack.

01:13.725 --> 01:16.155
There are many other
injection attacks.

01:16.155 --> 01:19.395
Here's a list of some
of them, SQL injection,

01:19.395 --> 01:20.775
file injection, and others.

01:20.775 --> 01:24.555
But in this video, we'll
focus on SQL injection.

01:24.555 --> 01:26.160
Because of the multi-layer

01:26.160 --> 01:27.539
>> web application architecture,

01:27.539 --> 01:30.075
>> the client should only
access the web server.

01:30.075 --> 01:32.085
In an SQL injection attack,

01:32.085 --> 01:34.245
the client sends the
request to the web server,

01:34.245 --> 01:35.400
but the web server will send

01:35.400 --> 01:36.525
the request to the database,

01:36.525 --> 01:38.190
and the database
will process it.

01:38.190 --> 01:39.870
Depending on the request,

01:39.870 --> 01:42.585
the database can execute
unexpected commands.

01:42.585 --> 01:44.250
These commands that come back to

01:44.250 --> 01:47.235
the database server can
impact the web application.

01:47.235 --> 01:50.580
SQL injection is considered
a critical vulnerability,

01:50.580 --> 01:53.620
it directly affects
the database server.

01:54.080 --> 01:58.215
Here we have a comic strip
joke about SQL injection.

01:58.215 --> 01:59.820
Here the impact was losing

01:59.820 --> 02:01.470
all the database
of the students.

02:01.470 --> 02:02.640
This could be fun,

02:02.640 --> 02:05.835
but if this happens in a
production environment,

02:05.835 --> 02:07.860
the consequences
could be tragic.

02:07.860 --> 02:10.425
Let's talk about SQL injection.

02:10.425 --> 02:12.870
Here are some
considerations to keep in

02:12.870 --> 02:15.450
mind with SQL injection attacks.

02:15.450 --> 02:19.315
It needs to use SQL or the
database won't process it.

02:19.315 --> 02:21.095
Usually, it's caused by

02:21.095 --> 02:23.000
incorrect user input validation

02:23.000 --> 02:25.390
like allowing special
characters in the form.

02:25.390 --> 02:29.730
It's an old attack, we've
known about it since 1998.

02:29.730 --> 02:33.000
It's also more common
on legacy applications.

02:33.000 --> 02:34.590
It's a server-side attack,

02:34.590 --> 02:36.825
and it has some
types like blind,

02:36.825 --> 02:40.330
classic, union-based,
and error-based.

02:40.550 --> 02:43.590
In our lab, there's a web
application vulnerable

02:43.590 --> 02:46.050
to SQL injection attacks.

02:46.050 --> 02:48.210
It's simple, it's
just a form with

02:48.210 --> 02:51.060
only one text box
to put the user ID.

02:51.060 --> 02:52.740
If we try the number 1,

02:52.740 --> 02:54.765
we have the admin
user information.

02:54.765 --> 02:57.945
Here you have the request
made to the web server.

02:57.945 --> 02:59.760
It's a simple request.

02:59.760 --> 03:03.690
You can see that the ID has
the number 1, the admin ID.

03:03.690 --> 03:05.925
The information about
the admin is shown.

03:05.925 --> 03:09.810
But if we don't say a
number, what happens?

03:09.810 --> 03:12.960
This is an example of
a malicious request.

03:12.960 --> 03:15.195
To summarize this
user ID request,

03:15.195 --> 03:16.410
you say to the database,

03:16.410 --> 03:18.360
I want all the user IDs that are

03:18.360 --> 03:20.895
equal to a or 1 equals 1.

03:20.895 --> 03:22.890
1 equals 1 is always true,

03:22.890 --> 03:25.650
so the database will
send all the usernames.

03:25.650 --> 03:27.870
This is the result
of the request,

03:27.870 --> 03:31.740
all usernames and information
about the usernames.

03:31.740 --> 03:34.275
Now, maybe you're thinking,

03:34.275 --> 03:38.730
can the web server logs
identify SQL injection attacks?

03:38.730 --> 03:42.210
Let's analyze both
request web server logs.

03:42.210 --> 03:45.135
The first is the ID
number 1 request,

03:45.135 --> 03:47.700
and the second logline
is a malicious request.

03:47.700 --> 03:50.685
Notice that whatever
you put in the user ID,

03:50.685 --> 03:52.140
you'll be sent to the web server

03:52.140 --> 03:53.775
and to the database server.

03:53.775 --> 03:55.680
Another important thing is

03:55.680 --> 03:57.764
>> that this request is encoded.

03:57.764 --> 03:58.860
>> After decoding,

03:58.860 --> 04:01.469
>> we'll see the same
request that we used.

04:01.469 --> 04:03.105
>> Because of the SQL,

04:03.105 --> 04:04.980
it's easy to see
encoded requests

04:04.980 --> 04:07.365
during SQL injection attacks.

04:07.365 --> 04:08.910
It's important to notice that

04:08.910 --> 04:11.130
the web server answered
both requests,

04:11.130 --> 04:13.755
and this includes the
malicious request.

04:13.755 --> 04:15.975
Depending on your
web application,

04:15.975 --> 04:17.985
this would mean that
your application

04:17.985 --> 04:20.760
is vulnerable to
the SQL injection.

04:20.760 --> 04:24.825
Now, let's analyze
these three loglines.

04:24.825 --> 04:27.900
These lines were generated
by the SQL map tool.

04:27.900 --> 04:30.780
SQL map is a well-known
tool used to perform

04:30.780 --> 04:33.510
vulnerability scans
or to perform

04:33.510 --> 04:35.639
>> SQL injection attacks.

04:35.639 --> 04:37.560
>> Many of the
vulnerability scans

04:37.560 --> 04:40.305
can execute SQL injections.

04:40.305 --> 04:42.375
So during the
vulnerability scans,

04:42.375 --> 04:44.745
it's possible to
see SQL injections.

04:44.745 --> 04:46.785
Depending on the policy
of your company,

04:46.785 --> 04:49.440
you can classify the attack
as a vulnerability scan,

04:49.440 --> 04:52.660
or as an SQL injection attack.

04:52.670 --> 04:55.470
Again, the user agent

04:55.470 --> 04:58.120
can help you in
identifying the attack.

04:58.880 --> 05:01.035
Analyzing the logs.

05:01.035 --> 05:03.510
You should see SQL-related
words or comments

05:03.510 --> 05:08.159
>> like and, select, case,
when, union, and others.

05:08.159 --> 05:11.040
>> Always check the
response of the web server.

05:11.040 --> 05:13.515
On the previous slide,
the answer was 200,

05:13.515 --> 05:15.705
so the web server
answered the request.

05:15.705 --> 05:17.295
In the three loglines,

05:17.295 --> 05:19.560
we have 302 to the
right direction.

05:19.560 --> 05:21.240
Sometimes you need to correlate

05:21.240 --> 05:24.850
more than one logline to
understand the entire attack.

05:25.250 --> 05:27.465
For further information,

05:27.465 --> 05:31.305
here are the same three
loglines, but now decoded.

05:31.305 --> 05:33.675
If you don't know
about SQL comments,

05:33.675 --> 05:35.910
you can ask your database
admins if these comments

05:35.910 --> 05:38.520
are malicious or could
impact the database server.

05:38.520 --> 05:40.680
In the next slide, we'll analyze

05:40.680 --> 05:46.920
two more loglines.
Here they are.

05:46.920 --> 05:49.560
Again, we used the SQL map,

05:49.560 --> 05:51.630
but we changed the user agent.

05:51.630 --> 05:55.875
You can notice encoded
requests send many SQL words.

05:55.875 --> 05:57.780
In the second
logline, you have the

05:57.780 --> 05:59.880
where and the exec comments.

05:59.880 --> 06:01.710
Taking a better
look, you can find

06:01.710 --> 06:03.570
more comments and
words but related to

06:03.570 --> 06:07.245
Linux operational system
like cat and F password,

06:07.245 --> 06:11.470
and in this slide,
the decoded request.

06:11.510 --> 06:16.995
One more question. What
about POST requests?

06:16.995 --> 06:18.960
To analyze POST requests,

06:18.960 --> 06:21.300
you need more logs
from other sources.

06:21.300 --> 06:23.805
A good source is
the back capture.

06:23.805 --> 06:25.590
For example, this is

06:25.590 --> 06:27.960
a web server log
for a POST request.

06:27.960 --> 06:29.970
The web server log only shows

06:29.970 --> 06:31.980
the POST request
to the login page,

06:31.980 --> 06:34.050
there's no information
about the request.

06:34.050 --> 06:35.625
But in the package capture,

06:35.625 --> 06:37.860
you see the HTTP request

06:37.860 --> 06:39.825
and all the form
data that was sent.

06:39.825 --> 06:42.510
Notice that this request is
similar to our examples,

06:42.510 --> 06:45.555
although it's not that easy
to get a package capture.

06:45.555 --> 06:46.995
But if it's possible,

06:46.995 --> 06:48.990
you should try and ask for them.

06:48.990 --> 06:53.820
To summarize, how do you
identify the SQL injection?

06:53.820 --> 06:56.595
First, SQL commands like from,

06:56.595 --> 06:58.725
select, where, and others.

06:58.725 --> 07:01.050
Look for encoded requests.

07:01.050 --> 07:04.185
Also, remember to
look for user agents

07:04.185 --> 07:07.635
and the operational system
related comments or words.

07:07.635 --> 07:09.180
Now, let's do

07:09.180 --> 07:12.015
some post-assessment
questions to practice.

07:12.015 --> 07:15.270
In the first question,
analyze the log below,

07:15.270 --> 07:17.295
and identify the web
application attack.

07:17.295 --> 07:20.475
After, choose the option
with the correct attack.

07:20.475 --> 07:23.170
You can pause the
video if you want.

07:25.370 --> 07:28.590
It's easy to see that
this log is big,

07:28.590 --> 07:30.450
and it contains a
lot of encoding.

07:30.450 --> 07:32.040
In addition, it's easy to find

07:32.040 --> 07:33.795
the SQL words like select,

07:33.795 --> 07:35.745
and, count, and others.

07:35.745 --> 07:39.180
So this is an SQL
injection attack.

07:39.180 --> 07:41.055
For further information,

07:41.055 --> 07:45.180
here is the decoded request
showing the SQL request.

07:45.180 --> 07:47.565
Now, check this affirmation.

07:47.565 --> 07:49.470
Web server logs will show

07:49.470 --> 07:51.690
all information
about user actions.

07:51.690 --> 07:54.850
Is this affirmation
true or false?

07:56.150 --> 07:59.100
This affirmation is false.

07:59.100 --> 08:01.560
If the web application
uses POST or

08:01.560 --> 08:03.945
if the web server log and
configuration is wrong,

08:03.945 --> 08:05.985
many of the logs can't help you.

08:05.985 --> 08:07.560
If this happens, you

08:07.560 --> 08:09.150
need to ask for the
right configuration,

08:09.150 --> 08:14.235
or for other logs.
Video summary.

08:14.235 --> 08:15.750
In this video, we talked about

08:15.750 --> 08:17.460
the type of injection attacks,

08:17.460 --> 08:19.170
SQL injection attacks,

08:19.170 --> 08:21.105
some directions to identify

08:21.105 --> 08:22.860
SQL injection attacks
in the web server

08:22.860 --> 08:24.930
logs like SQL comments,

08:24.930 --> 08:26.820
encoded requests, user agent,

08:26.820 --> 08:29.115
and operational system comments.

08:29.115 --> 08:30.930
After, we showed the difference

08:30.930 --> 08:32.685
between POST and GET requests,

08:32.685 --> 08:34.680
showing an example
of a package capture

08:34.680 --> 08:37.540
with an SQL injection attack.

08:38.090 --> 08:40.620
In the next video, we'll keep

08:40.620 --> 08:42.630
talking about injection attacks.

08:42.630 --> 08:45.930
We'll discuss file injection
or file inclusion,

08:45.930 --> 08:47.625
and the two types of inclusion:

08:47.625 --> 08:50.980
local and remote file inclusion.