Академический Документы
Профессиональный Документы
Культура Документы
Chuck Willis
OWAS Principal Consultant, MANDIANT
P chuck.willis@mandiant.com
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Why Are We Here?
Background
How web application incident response
and forensics is different
Case Studies
Log discovery, review, and analysis
Web Server
Application Server
Database
Remediation
OWAS
P
AppSe Copyright © 2006 - The OWASP Foundation
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Three Tier Web Application
HTTP Request /
HTTP RPC Call SQL
Request Query
HTTP
Response HTTP Result Set
Response /
Client Web Internet /
RPC Return
Browser Intranet
Web Server App Server Database
(presentation) (business logic) (resource)
URL: https://www.xyzbrokerage.com/login.asp?sessionid=90198e1525e4b03797f833ff4320af39
OWAS
P
AppSe Copyright © 2006 - The OWASP Foundation
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
IIS 6.0
Date / Time
Client IP
Server Info
HTTP Method
URL and Parameters
HTTP Status Code
User Agent
Can be enabled:
Transfer Sizes
Host Header
Cookies
Referrer
May 2006
Multi-national food and beverages company
requested bids for a machinery maintenance contract
The bids were to be provided over the Web
One of the bidders appeared to have inside
knowledge
Chief counsel ordered an investigation
OWAS
P
AppSe Copyright © 2006 - The OWASP Foundation
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Application Server Logs
A comprehensive code
review was ruled out
Resorted to scripted
searches through code
Regex = .*SELECT.*
if (extra.Equals(“letmein”))
{
Cmd = “SELECT * FROM CardTable”;
}
...
OWAS
P
AppSe Copyright © 2006 - The OWASP Foundation
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Database Server Logging
Alert.log
Flat text file
Records important information about the
database operation
Records errors
References to trace files and dump files
Trace files can result from:
An error in a background process
Administrator action
OWAS
P
AppSe Copyright © 2006 - The OWASP Foundation
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Application Level Logging
OWAS
P
AppSe Copyright © 2006 - The OWASP Foundation
c
Permission is granted to copy, distribute and/or modify this document
under the terms of the Creative Commons Attribution-ShareAlike 2.5
License. To view this license, visit
Seattl http://creativecommons.org/licenses/by-sa/2.5/
e The OWASP
Oct 2006 http://www.owasp.org/
Foundation
Remediation