WEBVTT

00:00.000 --> 00:02.940
>> Hello everyone and
welcome back to the course,

00:02.940 --> 00:05.385
Identifying Web
Attacks Through Logs.

00:05.385 --> 00:07.320
In the last video,
we talked about

00:07.320 --> 00:09.645
file inclusion in its
types of attacks.

00:09.645 --> 00:11.310
In this video, we'll talk

00:11.310 --> 00:13.410
about cross-site
scripting attacks.

00:13.410 --> 00:16.795
Let's start by talking
about the video objectives.

00:16.795 --> 00:18.420
The video objectives are to

00:18.420 --> 00:20.250
review cross-site
scripting attacks

00:20.250 --> 00:22.890
>> and identify cross-site
scripting attacks

00:22.890 --> 00:24.989
>> with log analysis.

00:24.989 --> 00:27.210
>> Now, let's do
a brief review of

00:27.210 --> 00:30.300
cross-site scripting attacks
and injection attacks.

00:30.300 --> 00:32.640
It's also a client-side attack.

00:32.640 --> 00:35.010
Pages with forms and forums are

00:35.010 --> 00:36.480
the most common examples that

00:36.480 --> 00:39.110
offer cross-site
scripting attacks,

00:39.110 --> 00:41.299
usually they use JavaScript

00:41.299 --> 00:43.095
processed by the user browser.

00:43.095 --> 00:44.690
There are two types of

00:44.690 --> 00:48.155
cross-site scripting stored
when the untrusted data

00:48.155 --> 00:50.180
is saved in a web server and

00:50.180 --> 00:53.405
reflected when no data is
saved in the web server.

00:53.405 --> 00:55.565
This means that in
the store type,

00:55.565 --> 00:57.170
the attacker needs to change

00:57.170 --> 00:59.390
the web page while in
the reflected one,

00:59.390 --> 01:02.960
the untrusted data is
sent and processed.

01:02.960 --> 01:05.930
One of the causes of
cross-site scripting

01:05.930 --> 01:08.460
is incorrect user
input validation,

01:08.460 --> 01:12.319
and this is on topic
A7 of the 2017 OWASP

01:12.319 --> 01:14.184
>> top 10 project.

01:14.184 --> 01:16.070
>> Check these two
websites to get

01:16.070 --> 01:18.695
more information about
cross-site scripting.

01:18.695 --> 01:23.480
Now, let's see together how
cross-site scripting works.

01:23.480 --> 01:25.340
The process is like this.

01:25.340 --> 01:27.620
The user accesses the website.

01:27.620 --> 01:30.320
The web server will
then enter the request.

01:30.320 --> 01:33.755
The user browser will process
the web server answer,

01:33.755 --> 01:36.800
and if the answer contains
a malicious code,

01:36.800 --> 01:39.160
it will be executed
by the browser.

01:39.160 --> 01:41.600
Some actions that are common
on cross-site scripting

01:41.600 --> 01:44.195
our redirections to other
sites, crypto mining,

01:44.195 --> 01:46.550
credential theft,
or in some cases,

01:46.550 --> 01:47.810
infecting the user's computer

01:47.810 --> 01:50.610
>> with malware or backdoors.

01:51.229 --> 01:54.060
>> Let's start
analyzing the attack.

01:54.060 --> 01:55.905
The first will be reflected.

01:55.905 --> 01:57.410
Here we have a website that is

01:57.410 --> 01:59.240
vulnerable to
cross-site scripting.

01:59.240 --> 02:01.730
Whatever we put inside
this text box will be

02:01.730 --> 02:04.720
displayed in the web page
after this submission.

02:04.720 --> 02:07.805
For example, if we
put log analysis,

02:07.805 --> 02:10.790
it will say, "Hello
log analysis."

02:10.790 --> 02:12.170
What do you think will happen

02:12.170 --> 02:13.519
>> if we add in this text box

02:13.519 --> 02:17.125
>> a JavaScript
code like this one.

02:17.125 --> 02:20.710
The JavaScript loads and
alerting the user browser.

02:20.710 --> 02:23.730
In this picture, you
can see the alert.

02:23.730 --> 02:25.790
You'll notice that the
same text that we put into

02:25.790 --> 02:28.280
the text box is
displayed in the alert.

02:28.280 --> 02:30.050
This means that the
web server accepted

02:30.050 --> 02:31.910
the JavaScript and
send it to the client.

02:31.910 --> 02:33.470
When the web server answer

02:33.470 --> 02:35.240
is processed by
the user browser,

02:35.240 --> 02:36.740
it will load the JavaScript that

02:36.740 --> 02:39.280
says, "There is an alert."

02:39.440 --> 02:42.410
Now, together, let's

02:42.410 --> 02:45.250
analyze the logs from
the two actions.

02:45.250 --> 02:47.550
In the first, nothing's wrong,

02:47.550 --> 02:49.965
just hello log analysis.

02:49.965 --> 02:52.115
Since the website
use the getMethod,

02:52.115 --> 02:53.810
we can see the request and here

02:53.810 --> 02:56.195
you have the log
analysis string.

02:56.195 --> 02:59.465
The second log contains
the JavaScript alert.

02:59.465 --> 03:02.510
Then you see that we have a
lot of encoded characters.

03:02.510 --> 03:07.025
Remember, the web server only
accepts ASCII characters.

03:07.025 --> 03:08.390
Here you see that during the

03:08.390 --> 03:09.769
>> cross-site scripting attack,

03:09.769 --> 03:12.830
>> the attacker needs to use
a lot of encoded characters.

03:12.830 --> 03:14.750
This is one behavior
of cross-site

03:14.750 --> 03:18.000
>> scripting attack that
you can see in the logs.

03:18.619 --> 03:20.690
>> How do you identify the

03:20.690 --> 03:23.490
reflected cross-site
scripting attacks?

03:23.490 --> 03:25.555
One of the ways is
to look for script

03:25.555 --> 03:28.060
HTML text in the request.

03:28.060 --> 03:30.905
Also look for JavaScript
code in the request.

03:30.905 --> 03:32.680
Since cross-site scripting needs

03:32.680 --> 03:34.015
to use encoded characters,

03:34.015 --> 03:35.590
if you see a lot of
encoded characters

03:35.590 --> 03:36.699
>> in the same request,

03:36.699 --> 03:39.055
>> it's better to
take a closer look.

03:39.055 --> 03:41.590
Since the attacker needs
to craft their request,

03:41.590 --> 03:44.720
look for unexpected user agents.

03:44.720 --> 03:48.715
The next type of cross-site
scripting is stored.

03:48.715 --> 03:52.720
As I said before, stored
cross-site scripting attacks

03:52.720 --> 03:54.250
change the web page.

03:54.250 --> 03:57.170
For example, here we
have a message board.

03:57.170 --> 04:00.310
Like a forum, you put in
your name in a message,

04:00.310 --> 04:02.635
and it will be stored
in the web page.

04:02.635 --> 04:05.510
Can you guess how
the attack occurs?

04:05.510 --> 04:07.760
You can see here that we have

04:07.760 --> 04:10.880
two messages.
Everything looks okay.

04:10.880 --> 04:12.350
To perform the attack,

04:12.350 --> 04:14.480
we need to send the server
the malicious request,

04:14.480 --> 04:17.035
like this alert
message in JavaScript.

04:17.035 --> 04:19.950
Now, whenever we
access the web page,

04:19.950 --> 04:21.330
the alert message will show,

04:21.330 --> 04:22.550
and the message board will show

04:22.550 --> 04:24.395
nothing in the message part.

04:24.395 --> 04:26.900
This happens because our message

04:26.900 --> 04:28.100
>> contains the script text

04:28.100 --> 04:30.829
>> and the script text
doesn't show as text.

04:30.829 --> 04:33.480
>> They are executed
by the browser.

04:33.610 --> 04:37.985
Now, let's check the web
server logs from this attack.

04:37.985 --> 04:39.710
The first two lines
of the logs for

04:39.710 --> 04:41.675
a non-malicious use
of the website.

04:41.675 --> 04:44.480
We have the post, time
that we sent some data

04:44.480 --> 04:46.550
>> to the web server
and after the get

04:46.550 --> 04:48.829
>> to reload the web page.

04:48.829 --> 04:52.035
>> The next two lines are
the logs from the attack.

04:52.035 --> 04:55.630
What's the problem here? Can
you identify the attack?

04:55.630 --> 04:57.985
Remember that on
the post request,

04:57.985 --> 04:59.630
the payload has the action,

04:59.630 --> 05:00.790
and that's why we can't see

05:00.790 --> 05:02.695
the request and the
web server log.

05:02.695 --> 05:04.810
If you analyze the
two post logs,

05:04.810 --> 05:07.850
you can see that the two
lines are almost the same.

05:07.850 --> 05:10.115
Now maybe you're thinking, well,

05:10.115 --> 05:11.350
how can I identify the attack

05:11.350 --> 05:13.300
if I don't see the
web server log?

05:13.300 --> 05:15.175
As I said before, there are

05:15.175 --> 05:17.395
other log sources
that can help us.

05:17.395 --> 05:20.720
The IPS or IDS is one of them.

05:20.720 --> 05:22.875
They analyze the full packet.

05:22.875 --> 05:24.250
With the full packet,

05:24.250 --> 05:25.900
it can see the
malicious requests,

05:25.900 --> 05:27.339
>> like in this picture.

05:27.339 --> 05:29.065
>> In this case, the
log is different,

05:29.065 --> 05:31.020
but it can see the request.

05:31.020 --> 05:33.170
Inside the request, you can see

05:33.170 --> 05:35.855
the malicious code that was
sent to the web server.

05:35.855 --> 05:40.360
If your IPS is in the block
mode, the attack will fail.

05:40.360 --> 05:42.860
One example of cross-site
scripting attacks

05:42.860 --> 05:44.160
is crypto mining.

05:44.160 --> 05:45.710
Since the attack can
add some code on

05:45.710 --> 05:48.425
the web page and whenever
users access the web page,

05:48.425 --> 05:50.920
the user browser
processes the web page.

05:50.920 --> 05:53.855
If the web page has a
command on its code that

05:53.855 --> 05:55.280
is asking the web server to

05:55.280 --> 05:57.290
start the crypto mining process.

05:57.290 --> 05:59.180
The web browser will do it.

05:59.180 --> 06:01.910
This can make the user's
device runs slower.

06:01.910 --> 06:04.190
You can check this
website to see more about

06:04.190 --> 06:07.290
crypto mining cross-site
scripting attacks.

06:08.440 --> 06:12.620
Stored cross-site scripting
changes the web page.

06:12.620 --> 06:13.970
One of the ways to confirm

06:13.970 --> 06:16.250
the attack is to check
the web page code.

06:16.250 --> 06:18.440
During your analysis,
you can look for

06:18.440 --> 06:20.735
script text in
unexpected places.

06:20.735 --> 06:23.255
Here's the code of our
vulnerable web page.

06:23.255 --> 06:25.145
Since this is a small page,

06:25.145 --> 06:27.575
it will be easy to find
the malicious code.

06:27.575 --> 06:30.720
The malicious code is this here.

06:31.330 --> 06:33.560
There are many payloads that are

06:33.560 --> 06:35.705
used to perform
cross-site scripting.

06:35.705 --> 06:37.550
This website contains
some examples

06:37.550 --> 06:40.410
of cross-site
scripting payloads.

06:40.930 --> 06:44.585
The way to identify stored
cross-site scripting

06:44.585 --> 06:46.375
is almost the same
as with reflected.

06:46.375 --> 06:48.920
Although since it commonly
uses the post request,

06:48.920 --> 06:52.610
it's better to have more
log sources like the IPS.

06:52.610 --> 06:54.110
If possible, to check

06:54.110 --> 06:57.810
the web page code and look
for malicious commands.

06:58.310 --> 07:01.230
Post assessment question.

07:01.230 --> 07:03.770
There is no difference
between stored and

07:03.770 --> 07:05.990
reflected cross-site
scripting attacks.

07:05.990 --> 07:09.330
Is this affirmation
true or false?

07:09.350 --> 07:12.805
This affirmation is false.

07:12.805 --> 07:14.510
Although the attacks
are similar,

07:14.510 --> 07:16.280
there are some
differences between them.

07:16.280 --> 07:19.920
The difference changes
the way we identify them.

07:20.450 --> 07:23.150
For the next question, analyze

07:23.150 --> 07:26.150
the weblog below and identify
which part is malicious?

07:26.150 --> 07:28.885
You can pause the
video if you'd like.

07:28.885 --> 07:31.665
Let's analyze the log together.

07:31.665 --> 07:33.730
First we have the
client's IP address,

07:33.730 --> 07:35.410
followed by the date and time.

07:35.410 --> 07:38.170
After we have the getMethod
and the requested file.

07:38.170 --> 07:40.315
After it, we have
a 200 status code.

07:40.315 --> 07:42.895
That means, okay, besides,

07:42.895 --> 07:44.530
we don't have the
referrer, and in

07:44.530 --> 07:47.350
the end we have the user agent.

07:47.350 --> 07:49.720
As I said before,
many of the attacks

07:49.720 --> 07:51.940
can be identified in
the requested file.

07:51.940 --> 07:54.160
Do you think that we have a
lot of encoded characters in

07:54.160 --> 07:57.040
the requested file or
does it look normal?

07:57.040 --> 08:00.100
Even if you think that
this request looks normal

08:00.100 --> 08:02.560
and we do have a lot
of encoded characters.

08:02.560 --> 08:05.800
We can see the script
word. Did you see it?

08:05.800 --> 08:07.855
To make things more clear,

08:07.855 --> 08:11.000
here, you can see
that decoded request.

08:11.000 --> 08:16.515
You have the malicious parts
of the log. Video summary.

08:16.515 --> 08:18.890
In today's lesson, we talked
about the two types of

08:18.890 --> 08:21.290
cross-site scripting
reflected and

08:21.290 --> 08:23.455
stored and their differences.

08:23.455 --> 08:25.010
We also talked about how to

08:25.010 --> 08:27.575
identify both types of
cross-site scripting.

08:27.575 --> 08:29.375
Look for scripts
in the requests,

08:29.375 --> 08:31.520
look for JavaScript code,

08:31.520 --> 08:34.730
look many encoded characters
and unexpected user agents.

08:34.730 --> 08:36.365
For stored cross-site scripting,

08:36.365 --> 08:38.315
you can check the web page code.

08:38.315 --> 08:39.950
In the next video, we'll talk

08:39.950 --> 08:41.750
about cross-site
request forgery,

08:41.750 --> 08:43.970
and we'll analyze
web server logs to

08:43.970 --> 08:47.929
identify cross-site
request forgery attacks.