WEBVTT

00:00.270 --> 00:05.880
It's important for the exam that you can recognize the ways that websites and in particular are web

00:05.940 --> 00:07.140
apps are attacked.

00:07.140 --> 00:12.720
So in this episode what I want to do is cover Well basically you've been following along in the series.

00:12.720 --> 00:19.260
I've got a whole other episode called attacking applications and everything that is in there also works

00:19.260 --> 00:23.230
for web apps as well so I just want to add to that a little bit.

00:23.250 --> 00:31.140
Some very specific type of attacks that are unique to Web sites and web apps so with that understanding

00:31.530 --> 00:37.740
if you're going to recognize an attack you need to be able to read log files and the exams are going

00:37.740 --> 00:40.620
to challenge you on your ability to read log files.

00:40.620 --> 00:45.590
Now luckily for us any good web app is going to have tons and tons of log files.

00:45.600 --> 00:52.960
But the first one I want to talk about right now is the common long format the CLX.

00:53.100 --> 01:00.060
Now these are the standard types of logs that every single type of web server generates.

01:00.060 --> 01:01.890
And they all generated in the same format.

01:01.890 --> 01:06.690
So lets go through one of these real quick to make sure you understand common long format.

01:06.690 --> 01:14.100
Here is a very specific line of a log from a common log format web server.

01:14.100 --> 01:18.300
So now if you take a look at this theres a few things you absolutely need to be able to recognize So

01:18.360 --> 01:19.980
just going from left to right.

01:19.980 --> 01:25.860
First of all you're going to see either an IP address in this case we've got 127 0 0 out one but it

01:25.860 --> 01:28.720
could also be a fully qualified domain name.

01:28.830 --> 01:34.050
And that's basically who is talking to this web server right now.

01:34.470 --> 01:35.290
Your next to.

01:35.280 --> 01:38.420
And I just show them as dashes because they're pretty uncommon.

01:38.490 --> 01:44.940
These are different ways to do authentication within HTP not HDTV.

01:44.940 --> 01:47.230
Yes this is kind of old school stuff.

01:47.320 --> 01:53.290
It's not used very often anymore so let's skip those next two dashes they're known equally as ident

01:53.320 --> 01:54.760
which is the identity check.

01:54.760 --> 01:57.390
And the second one is called authorized user.

01:57.400 --> 01:59.570
But again they're not used that often.

01:59.750 --> 02:04.950
Get the next one is the date and time and I'm hoping you can read that and pretty much figure out the

02:04.950 --> 02:08.310
date and then the time and then that little dash on the end.

02:08.340 --> 02:12.530
That's just the offset from Greenwich Mean Time OK.

02:12.610 --> 02:13.970
The next one is the big one.

02:13.990 --> 02:19.870
This is actually the request or whatever is coming in from the client This is the data payload.

02:19.870 --> 02:25.840
In this case we can take a look at this and see this is just a simple HTP get command that's asking

02:25.840 --> 02:27.120
for a Jeff file.

02:27.130 --> 02:29.380
So that's the file itself.

02:29.530 --> 02:34.420
And then the next two values are first of all that 200 shows everything's OK.

02:34.450 --> 02:41.440
It sent it to Jeff while everything's good and the actual bite size of that payload itself now come

02:41.430 --> 02:47.430
and log format is important and you need to be comfortable with that format for the actual exam itself.

02:47.430 --> 02:51.490
Now the next thing I want to talk about are other types of logs you might run into.

02:51.540 --> 02:58.140
Now I've got a web app that I use here at total seminars and this web app works underneath a control

02:58.140 --> 03:04.380
panel tool called See panel it's very popular it's been around forever and see panel can actually phone

03:04.380 --> 03:07.260
home send me emails and can do a lot of different stuff.

03:07.260 --> 03:12.720
I've got mine configured to send me emails whenever something that is scary looking shows up.

03:12.720 --> 03:16.910
So let me show you an example e-mail that I get from my SEE panel applet.

03:17.070 --> 03:23.290
Now I've taken a lot of stuff out but this is the actual e-mail that I've got from my C panel applet.

03:23.290 --> 03:25.410
Something's going on that it doesn't like.

03:25.410 --> 03:27.780
So if you take a look here there's a lot of good information.

03:27.930 --> 03:31.020
So I get process IDs here up at the top.

03:31.110 --> 03:36.900
I know what account is that has logged in to my C panel applet in this case it's just an administrative

03:36.900 --> 03:38.280
account.

03:38.360 --> 03:40.240
Now it's going to show me what's interesting.

03:40.250 --> 03:46.670
So it's telling me that an executable has been run but it's asking very very interesting stuff is trying

03:46.670 --> 03:49.820
to run something called Run call HP.

03:50.090 --> 03:51.040
And last.

03:51.050 --> 03:53.110
It shows me if there's a network connection on it.

03:53.120 --> 03:54.660
In this case the network connection.

03:54.680 --> 03:56.120
Now you have to read these.

03:56.150 --> 03:58.170
Notice that it's the same IP address.

03:58.190 --> 04:04.760
Somebody is working locally on the server itself and they are running this program for one reason or

04:04.760 --> 04:05.920
another.

04:05.930 --> 04:11.720
Now that we're comfortable with logs I want to talk about two very specific types of attacks that are

04:11.720 --> 04:15.380
going to be unique to Web sites Web applications.

04:15.380 --> 04:20.030
That's going to be cross-site scripting or ex-MIL injection.

04:20.060 --> 04:25.940
Now both of these are kind of like injection attacks where somebody tries to put in some extra information

04:26.330 --> 04:29.980
into an HDTV request to do something naughty.

04:29.990 --> 04:31.730
Now they're going to do this one of two ways.

04:31.730 --> 04:36.980
Number one they're actually going to go into a form or something like that and try to add that extra

04:36.980 --> 04:42.490
information they might have a malicious add on that they've intentionally installed on their web browser

04:42.500 --> 04:45.130
to type in extra information they could do it that way.

04:45.260 --> 04:49.330
But more often than not you're going to see tools like I've got a picture of one right here.

04:49.400 --> 04:56.660
This is a x accessor and this is of on my colleague Linux box and this tool is designed to simply go

04:56.660 --> 05:02.120
to a Web site and try to do both cross-site scripting and SML injection attacks.

05:02.120 --> 05:05.700
OK so understanding how people do this stuff.

05:05.780 --> 05:07.720
Let's talk about each one of these.

05:07.820 --> 05:12.930
And I'd like to start with cross-site scripting cross-site scripting and we usually just show it as

05:13.010 --> 05:21.850
x x x is when somebody tries to get another person to run a script from another site.

05:22.070 --> 05:28.490
So what we're going to do is let's take a look into a particular log file and we get something that

05:28.490 --> 05:29.600
looks like this.

05:29.780 --> 05:33.050
So we could say this is coming from a form or something.

05:33.050 --> 05:36.610
However the Web site sees that they're trying to enter this kind of data.

05:36.620 --> 05:38.430
Now depends on the field.

05:38.430 --> 05:43.410
Let's say this is a last name field and all of a sudden we're seeing all this script information.

05:43.520 --> 05:49.520
You're also going to notice that there's a source that is from a different web site that is a very strong

05:49.520 --> 05:57.290
clue of cross-site scripting SML injection simply means to insert SML information that shouldn't be

05:57.290 --> 05:57.560
there.

05:57.560 --> 06:02.390
So what I want to do now is let's take a look at this one particular command here.

06:02.510 --> 06:08.990
So in this particular case we've got a form that's being generated from this Web site and this form

06:08.990 --> 06:11.550
asks for a user name and see it says Mike.

06:11.660 --> 06:14.970
It's got a password it's a pretty weak password.

06:14.960 --> 06:19.300
There's a voucher in here looks like they're buying a voucher off of my web site.

06:19.340 --> 06:21.920
There's a price here of $450.

06:21.920 --> 06:23.680
Don't worry they're not really that expensive.

06:23.810 --> 06:29.870
And then an e-mail address so what we're looking at is form data that is being set up in just such a

06:29.870 --> 06:32.600
way so somebody could get this information.

06:32.620 --> 06:38.480
Now let's just say for a minute that people don't actually type in the price that they're going to pay.

06:38.540 --> 06:43.580
They just pick a particular product and then the price is filled in automatically.

06:43.580 --> 06:49.160
But what if they had a tool that would allow them to change this SML information where they could go

06:49.160 --> 06:57.470
ahead and just insert $50 instead of $450 without any other type of control they're going to get themselves

06:57.500 --> 06:59.090
a very cheap voucher.

06:59.090 --> 07:04.490
The big takeaway I need you to get from this episode is that you need to be comfortable reading log

07:04.490 --> 07:05.390
files.

07:05.390 --> 07:12.600
Luckily for us any web server any Web site any web app is going to come with plenty of log files.

07:12.740 --> 07:19.260
And if you take the time and read them you should be able to easily recognize SML and cross-site scripting.

07:19.370 --> 07:24.870
Also keep in mind that these are still applications even though there are Web applications.

07:24.950 --> 07:30.290
So you might want to review my attacking applications and see if there's anything in there that might

07:30.290 --> 07:31.070
come into play.

07:31.190 --> 07:33.110
You never know when you're going to get a buffer overflow.