WEBVTT

00:00.000 --> 00:03.060
>> Hello and welcome
back to the course,

00:03.060 --> 00:05.595
Identifying Web
Attacks Through Logs.

00:05.595 --> 00:07.200
In the last video, we talked

00:07.200 --> 00:09.285
about cross-site
scripting attacks.

00:09.285 --> 00:10.680
In this video, we will

00:10.680 --> 00:12.990
discuss cross-site
request forgery.

00:12.990 --> 00:15.254
Let's start with the
learning objectives.

00:15.254 --> 00:17.070
The learning objectives
are to review

00:17.070 --> 00:18.990
cross-site request
forgery and to

00:18.990 --> 00:21.900
identify the attacks
through log analysis.

00:21.900 --> 00:24.150
Cross-site request
forgery exploits

00:24.150 --> 00:26.775
the trust between a web
server and the user browser.

00:26.775 --> 00:29.925
Suppose that you access your
interactive bank website.

00:29.925 --> 00:32.940
Everything goes okay; you
do whatever you need to do,

00:32.940 --> 00:36.260
but afterwards you access
a malicious website.

00:36.260 --> 00:38.330
This malicious website
will try to send

00:38.330 --> 00:40.775
a malicious command
through your web browser.

00:40.775 --> 00:43.490
Your web browser will
execute the command.

00:43.490 --> 00:45.020
This malicious command could be

00:45.020 --> 00:47.590
a money transfer to the
attacker's account.

00:47.590 --> 00:49.620
The user won't see the request,

00:49.620 --> 00:51.350
and this could all
happen because

00:51.350 --> 00:54.710
the bank website trusts
the user's browser.

00:54.710 --> 00:58.280
Maybe you're thinking
cross-site request forgery

00:58.280 --> 01:01.525
is the same thing as
cross-site scripting.

01:01.525 --> 01:04.220
Well, even if the
name is similar,

01:04.220 --> 01:06.325
the attack is different.

01:06.325 --> 01:09.150
In cross-site request forgery,

01:09.150 --> 01:11.240
the source of the attack does

01:11.240 --> 01:13.845
not directly connect
to the web server.

01:13.845 --> 01:17.370
That's why the name is forgery.

01:18.060 --> 01:22.435
In our lab, we have a
vulnerable web application.

01:22.435 --> 01:24.985
In this case, the vulnerability

01:24.985 --> 01:27.790
allows for the changing
of the user's password.

01:27.790 --> 01:31.940
First, let's see the logs
of a normal request.

01:31.940 --> 01:34.965
The two first lines
are the log on

01:34.965 --> 01:37.635
in the access to the
vulnerable web page.

01:37.635 --> 01:40.540
The next line is the user
changing the password.

01:40.540 --> 01:42.625
We can see the
client's IP address,

01:42.625 --> 01:43.840
the requested file with

01:43.840 --> 01:45.950
the password change
and the referrer.

01:45.950 --> 01:48.900
Also take a look at the time.

01:48.900 --> 01:51.810
The next log is a
malicious request.

01:51.810 --> 01:53.605
You can see the same IP address

01:53.605 --> 01:56.050
and another request to
change the password.

01:56.050 --> 01:58.150
Can you identify
another difference

01:58.150 --> 02:00.140
>> between the two logs?

02:00.969 --> 02:04.190
>> One of the differences
is the password.

02:04.190 --> 02:06.215
Another difference
is the referrer.

02:06.215 --> 02:08.210
Here we don't have the referrer,

02:08.210 --> 02:10.520
and this new password
change request happened

02:10.520 --> 02:14.070
sometime before
the first request.

02:15.650 --> 02:18.530
In summary, how do you

02:18.530 --> 02:21.250
identify cross-site
request forgery?

02:21.250 --> 02:25.615
Well, the referrer is the
best way to identify.

02:25.615 --> 02:28.610
If you notice an
unexpected referrer,

02:28.610 --> 02:31.415
it's a good indication
that something is wrong.

02:31.415 --> 02:34.295
Another thing is different
behavior from the user,

02:34.295 --> 02:35.930
like changing or trying

02:35.930 --> 02:37.670
to change the password
many times in

02:37.670 --> 02:39.080
a small period of time or

02:39.080 --> 02:42.085
the same actions in a
small period of time.

02:42.085 --> 02:44.910
Post-assessment question,

02:44.910 --> 02:47.600
Cross-Site Request
Forgery attacks

02:47.600 --> 02:51.310
only happen if the user
browser is compromised.

02:51.310 --> 02:55.770
Is this affirmation
true or false?

02:55.770 --> 02:59.280
This affirmation is false.

02:59.280 --> 03:02.075
Most of the time the
attack will happen

03:02.075 --> 03:05.780
because the user connected
to a malicious website.

03:05.780 --> 03:07.985
For the next question,

03:07.985 --> 03:09.740
analyze the weblog below and

03:09.740 --> 03:12.155
identify the possible
attack type.

03:12.155 --> 03:14.585
Here you have two post methods,

03:14.585 --> 03:17.270
both trying to login
to a web page and with

03:17.270 --> 03:18.710
more than one minute
of difference

03:18.710 --> 03:20.555
between the two requests.

03:20.555 --> 03:23.600
Also notice that the
referrer changes.

03:23.600 --> 03:26.225
This could be a Cross-Site
Request Forgery attack

03:26.225 --> 03:28.015
using the post request.

03:28.015 --> 03:29.760
The source of the attack is

03:29.760 --> 03:32.655
the web page littlecutdogs.com.

03:32.655 --> 03:35.000
Since this is a post request,

03:35.000 --> 03:37.490
we can't see the user
or the password sent by

03:37.490 --> 03:38.540
the malicious web server that

03:38.540 --> 03:41.620
hosts the littlecutdogs website.

03:41.620 --> 03:44.645
Video summary. In this video,

03:44.645 --> 03:47.540
we discussed Cross-Site
Request Forgery attacks and

03:47.540 --> 03:51.365
identified the attacks by
analyzing web server logs.

03:51.365 --> 03:53.645
For the next video,
we will analyze

03:53.645 --> 03:57.510
other sources of
logs like IPS logs.