ISC StormCast for Wednesday , July 17th 2013 http://isc.sans.edu/podcastdetail.html?id=3421

Why don't we see more examples of web app attacks via POST?

Published: 2013-07-16
Last Updated: 2013-07-16 21:13:23 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Was just browsing my web logs again, and came across this stupid little SQL injection attempt:

GET //diary.html?storyid=3063//////////////-999.9+union+select+0-- HTTP/1.1

There were more like it. The reason I call this "stupid and simple" is that it probably didn't even work if I was vulnerable (mysql at least requires a space after the comment). So I was looking for other attempts (I found a few) but they had similar elemental mistakes, or used well known "bad" user agents that are frequently blocked (Firefox 3.5.9 ?! Really?)

So I was wondering: Why don't I see ever "better" attacks? One issue may be that web logs usually don't capture the "POST" request data. If you capture it at all, you capture it using a WAF or IDS if the request was suspect. Also, capturing full posts presents other problems. The data could be quite large, and may contain personal data that should better not be logged (usernames and passwords). 

Anybody got a good way of logging "sanitized" POST requests?

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

4 comment(s)

Comments


Diary Archives