Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Use of Alternate Data Streams in Research Scans for index.jsp. - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Use of Alternate Data Streams in Research Scans for index.jsp.

Our network of web application honeypots delivered some odd new URLs in the last 24 hrs:


I am not 100% sure what these scans are after, but my best guess right now is that they are attempting to bypass filters using NTFS alternate data streams.

The Windows NTFS file system includes the ability to connect to alternate data streams. This has been documented in the past as a technique to hide data or to bypass URL filters [1][2].

In this case, the scans originate from , an IP associated with vulnerability scanning company Qualys. It appears to be hunting for index.jsp, a default for Java applications. Inside the cgi-bin or scripts directory, it may very well lead to code execution and may be protected by a WAF that the attacker attempts to bypass. I assume that right now, this is likely just a Qualys research project, but a good reminder to double-check your URL filters 

Any other ideas? Let me know.


Johannes B. Ullrich, Ph.D. , Dean of Research,

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4473 Posts
ISC Handler
Jan 14th 2022

Sign Up for Free or Log In to start participating in the conversation!