WEBVTT 00:00.000 --> 00:02.430 >> Hello and welcome back to the course, 00:02.430 --> 00:04.740 Identifying Web Attacks Through Logs. 00:04.740 --> 00:06.480 In the last video, we talked about 00:06.480 --> 00:09.480 injection attacks and SQL injection attacks. 00:09.480 --> 00:11.250 In this video, we'll talk about 00:11.250 --> 00:14.475 another injection attack called file inclusion. 00:14.475 --> 00:16.515 Let's see the video objectives. 00:16.515 --> 00:18.090 The video objectives are 00:18.090 --> 00:20.625 understanding the local and remote file attacks, 00:20.625 --> 00:23.880 and identifying these attacks using web server logs. 00:23.880 --> 00:27.955 First, let's discuss file inclusion attacks. 00:27.955 --> 00:31.715 As we said before, it's an injection attack. 00:31.715 --> 00:33.155 It's usually caused by 00:33.155 --> 00:35.570 incorrectly using input validation. 00:35.570 --> 00:38.650 It's common to see directory transversal characters. 00:38.650 --> 00:40.390 These are two types; 00:40.390 --> 00:42.380 local file inclusion that access and 00:42.380 --> 00:44.540 execute the local files or commands, 00:44.540 --> 00:46.640 and remote file inclusion that 00:46.640 --> 00:49.865 access and execute remote files or commands. 00:49.865 --> 00:53.460 File inclusion is a server-side attack. 00:53.680 --> 00:57.455 Here you can see how file inclusion works. 00:57.455 --> 00:59.390 First, local. 00:59.390 --> 01:01.625 Our request is sent to the server and answered, 01:01.625 --> 01:04.265 so it all happens in the same server. 01:04.265 --> 01:07.280 Remote file inclusion is a little different. 01:07.280 --> 01:10.159 The user sends the request through the web server and 01:10.159 --> 01:11.690 the web server sends 01:11.690 --> 01:14.570 the request to another web server, a remote server. 01:14.570 --> 01:16.925 That's why it's called remote file inclusion. 01:16.925 --> 01:19.250 You need two different servers. 01:19.250 --> 01:21.680 In our lab, we have a web application 01:21.680 --> 01:23.510 that is vulnerable to the file inclusion, 01:23.510 --> 01:26.040 both local and remote. 01:26.110 --> 01:29.060 Here's an example of local inclusion. 01:29.060 --> 01:31.430 Passwd is a file that contains 01:31.430 --> 01:34.280 the passwords for all the users in a Linux machine. 01:34.280 --> 01:36.560 You can see the directory transversal characters 01:36.560 --> 01:38.290 which change their directories. 01:38.290 --> 01:40.950 The result is the passwd file 01:40.950 --> 01:43.340 will be read and displayed in the webpage, 01:43.340 --> 01:45.870 as you can see in the picture. 01:45.880 --> 01:49.725 Now, let's analyze some logs together. 01:49.725 --> 01:53.005 The first logline is a normal request. 01:53.005 --> 01:55.600 The second logline is a direct 01:55.600 --> 01:57.534 >> request to the passwd file 01:57.534 --> 02:01.765 >> and the web server answer is not found, the 404. 02:01.765 --> 02:04.105 The request didn't answer. 02:04.105 --> 02:06.085 In the third line, 02:06.085 --> 02:08.155 we have a 200 as our answer, 02:08.155 --> 02:11.365 so the web server found the passwd file. 02:11.365 --> 02:14.185 Notice the difference between the two requests. 02:14.185 --> 02:17.105 The next line is the same request but encoded. 02:17.105 --> 02:19.355 As you can see, it worked. 02:19.355 --> 02:22.290 The web server answered the passwd file. 02:22.290 --> 02:24.880 Since the passwd is local, 02:24.880 --> 02:27.745 this attack is a local inclusion. 02:27.745 --> 02:32.230 In these examples, we had access to critical files. 02:32.230 --> 02:34.060 It's also possible to execute 02:34.060 --> 02:36.549 >> commands on the web server. 02:36.549 --> 02:39.730 >> In this table, we have a summary of 02:39.730 --> 02:43.705 the most common target files for each personal system. 02:43.705 --> 02:47.905 If you want, pause the video and take some notes. 02:47.905 --> 02:50.170 Now, some directions to help 02:50.170 --> 02:52.450 you identify the local file inclusion. 02:52.450 --> 02:54.790 Look for operational system commands 02:54.790 --> 02:56.590 and files, new files, 02:56.590 --> 03:00.880 encoded requests, and slashed on the requests. 03:00.880 --> 03:02.800 You can go to this website and look for 03:02.800 --> 03:05.240 more examples of local file inclusion. 03:05.240 --> 03:07.875 The next is the remote file inclusion. 03:07.875 --> 03:09.695 We'll use the same lab. 03:09.695 --> 03:12.805 The difference between remote and local file inclusion 03:12.805 --> 03:14.955 is where the resource is located. 03:14.955 --> 03:17.000 The remote file inclusion needs to 03:17.000 --> 03:19.310 access another server's files. 03:19.310 --> 03:21.650 In our example, we 03:21.650 --> 03:23.990 will access the Google website from our lab. 03:23.990 --> 03:26.330 In the result, you can see that 03:26.330 --> 03:29.135 the Google search bar is loaded in the lab web page. 03:29.135 --> 03:31.520 The remote server is a Google server. 03:31.520 --> 03:35.335 The remote file inclusion accesses remote servers. 03:35.335 --> 03:37.465 Now, maybe you're thinking, "Well, 03:37.465 --> 03:39.680 I don't have access to the remote server. 03:39.680 --> 03:42.830 Can I find the remote file inclusion attack logs 03:42.830 --> 03:44.330 on my web server?" 03:44.330 --> 03:46.130 Yes, you can find 03:46.130 --> 03:48.590 the logs of the attack on your web server. 03:48.590 --> 03:50.510 Access on other web servers is 03:50.510 --> 03:52.360 a consequence of the attack. 03:52.360 --> 03:55.320 Your web server server is the target. 03:55.320 --> 03:58.260 That's why we will have the logs. 03:58.260 --> 04:00.975 Let's analyze some logs. 04:00.975 --> 04:04.880 The first line is the request to the vulnerable page. 04:04.880 --> 04:07.625 Notice that there are some log fields missing, 04:07.625 --> 04:10.760 like user agent, IP address, and date and time. 04:10.760 --> 04:13.265 They were removed to save space. 04:13.265 --> 04:16.175 In the second line, we have the malicious request. 04:16.175 --> 04:18.875 Another page is accessed from our webpage, 04:18.875 --> 04:21.635 in this case, the Google webpage. 04:21.635 --> 04:23.120 All the other logs are 04:23.120 --> 04:25.865 our web server requesting the Google web page. 04:25.865 --> 04:29.495 Our web server is downloading the Google webpage. 04:29.495 --> 04:31.460 That's why we have similar logs, 04:31.460 --> 04:33.560 most of them are pictures. 04:33.560 --> 04:36.830 The full log of this request is bigger. 04:36.830 --> 04:38.870 Here we only have a small part, 04:38.870 --> 04:41.525 but all the requests are similar. 04:41.525 --> 04:43.880 You can use the same directions to 04:43.880 --> 04:47.280 identify remote and local inclusion. 04:47.470 --> 04:51.635 Here are some directions more related to remote. 04:51.635 --> 04:53.990 Look for weird requests. 04:53.990 --> 04:56.675 As we showed in our other example, 04:56.675 --> 04:58.715 requests for another web server like 04:58.715 --> 05:01.500 outside of traffic is suspicious. 05:01.500 --> 05:04.450 If the server is accessing a remote server, 05:04.450 --> 05:05.950 maybe you can see an increase in 05:05.950 --> 05:07.630 web server download traffic. 05:07.630 --> 05:12.340 Here too, look for encoded requests and the user agent. 05:12.340 --> 05:14.230 Look for uncommon user agents or 05:14.230 --> 05:16.734 >> vulnerability scanners. 05:16.734 --> 05:19.660 >> Post-assessment question. 05:19.660 --> 05:21.640 Analyze the web server log 05:21.640 --> 05:23.740 below and choose the type of attack. 05:23.740 --> 05:26.080 You can pause the video if you'd like. 05:26.080 --> 05:30.550 The answer is number 4, remote file inclusion. 05:30.550 --> 05:33.550 Let's analyze the log together and see why. 05:33.550 --> 05:36.355 We have the IP address, date and time, 05:36.355 --> 05:39.745 and the requested file, and we have the getMethod. 05:39.745 --> 05:41.680 If you look at the requested file, 05:41.680 --> 05:43.870 you can see there's another address in the page, 05:43.870 --> 05:46.445 so we have a remote file inclusion 05:46.445 --> 05:49.225 because we're trying to access a remote server. 05:49.225 --> 05:51.925 Here is the Cybrary webpage. 05:51.925 --> 05:53.435 All the other fields are okay. 05:53.435 --> 05:55.805 We have the 200, that means okay, 05:55.805 --> 05:59.050 we have the referrer and the user agent. 05:59.050 --> 06:01.305 For the next question, 06:01.305 --> 06:03.570 analyze the web log below and identify 06:03.570 --> 06:06.485 which webpage is vulnerable to file inclusion attack. 06:06.485 --> 06:08.480 Here you have the request and you have 06:08.480 --> 06:10.370 a small part of the full webpage, 06:10.370 --> 06:13.055 but you can see the malicious request. 06:13.055 --> 06:15.200 Although if you look to the referrer, 06:15.200 --> 06:16.940 we can see there's no webpage. 06:16.940 --> 06:19.550 Remember that the referrer can be crafted too, 06:19.550 --> 06:21.110 but sometimes it can help. 06:21.110 --> 06:22.460 In this case, it's possible to find 06:22.460 --> 06:25.620 the vulnerable webpage. Here's the answer. 06:25.910 --> 06:28.970 Video summary. In this video, 06:28.970 --> 06:30.830 we learned about local and remote file 06:30.830 --> 06:33.365 inclusion attack and their differences. 06:33.365 --> 06:35.240 We used it in our lab to generate 06:35.240 --> 06:38.120 some web server logs and analyzing the web server logs, 06:38.120 --> 06:40.340 we identified both types of attacks; 06:40.340 --> 06:42.710 local and remote file inclusion. 06:42.710 --> 06:45.650 We also gave some directions to identify the attacks 06:45.650 --> 06:48.229 like weird requests, encoded requests, 06:48.229 --> 06:49.790 user agents requests with 06:49.790 --> 06:52.130 operational system commands or files, 06:52.130 --> 06:53.660 requests with many slashes, 06:53.660 --> 06:55.520 and some specific directions 06:55.520 --> 06:56.645 for the remote file inclusion, 06:56.645 --> 06:59.480 like the request to the outside. 06:59.480 --> 07:03.500 In the next video, we'll analyze cross-site scripting 07:03.500 --> 07:05.030 attacks and we'll identify 07:05.030 --> 07:08.550 the attack using web server logs.