Why don't we see more examples of web app attacks via POST?

Published: 2013-07-16
Last Updated: 2013-07-16 21:13:23 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Was just browsing my web logs again, and came across this stupid little SQL injection attempt:

GET //diary.html?storyid=3063//////////////-999.9+union+select+0-- HTTP/1.1

There were more like it. The reason I call this "stupid and simple" is that it probably didn't even work if I was vulnerable (mysql at least requires a space after the comment). So I was looking for other attempts (I found a few) but they had similar elemental mistakes, or used well known "bad" user agents that are frequently blocked (Firefox 3.5.9 ?! Really?)

So I was wondering: Why don't I see ever "better" attacks? One issue may be that web logs usually don't capture the "POST" request data. If you capture it at all, you capture it using a WAF or IDS if the request was suspect. Also, capturing full posts presents other problems. The data could be quite large, and may contain personal data that should better not be logged (usernames and passwords). 

Anybody got a good way of logging "sanitized" POST requests?

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

4 comment(s)

Comments

Hello,

Indeed, in nearly every forensic case regarding web incidents I had to approach, logging was limited to GET requests.

The 3 main reasons appear to be: Missing knowledge, laziness and memory issue (sometimes explained as performance issues).

Regards,

Marc
Hello,
capturing POST requests can be indeed a problem if you run a website storing sensitive user information.

Another way raw request logging can be done, for Apache users, is to set up the mod_security module to log POST requests in the audit log. If you don't want to log everything, mod_security allows you to define filters for the kind of requests you want to log. As you mentioned, you may be wanting to avoid logging requests to specific pages, or those containing certain keywords (e.g, 'password'). This can be done with this extension.

If you're interested in a study that used this kind of information (logging of full raw HTTP requests) as starting point to understand how and why web attacks are carried out, you can have a look at the paper we published at NDSS this year: "Behind The Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web" (http://www.s3.eurecom.fr/docs/ndss13_canali.pdf)

Regards,

Davide
ModSecurity (http://www.modsecurity.org/) has this functionality and at the right price too!

sanitiseArg - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseArg
sanitiseMatched - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatched
sanitiseMatchedBytes - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseMatchedBytes
sanitiseRequestHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseRequestHeader
sanitiseResponseHeader - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-sanitiseResponseHeader
For my webserver (a modified nweb). I do see POSTs from time to time.
INFO: Addr:78.106.241.99:993
INFO: Date:Fri May 10 01:33:03 PDT 2013
:993
INFO: request:POST http://m.odnoklassniki.ru/dk?bk=GuestMain&st.cmd=main&tkn=3\711 HTTP/1.0**Host: m.odnoklassniki.ru**X-Requested-With: XMLHttpRequest**Accep\t: application/json, text/javascript, */*; q=0.01**Connection: close**Content-L\ength: 117**Content-Type: application/x-www-form-urlencoded****:993

...

INFO: Addr:67.19.128.202:2150
INFO: Date:Tue Jun 11 16:17:59 PDT 2013
:2150
INFO: request:POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%\75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D\%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6\E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6\F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%\65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1\.1**Host: X.Y.Z.Q**User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +\http://www.google.com/bot.html)**Content-Type: application/x-www-form-urlencode\d**Connection: Close**Content-Length: 263****:2150

That last is of course:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

I understand the second, I don't quite see where the .ru author is going in the first POST.


Diary Archives