<< PREVIOUS  NEXT >>   

 

LFI RFI ATTACKS

 

LOCAL FILE INCLUSION

  1. Code: 32

  2. Brief Description: Local File Inclusion

  3. Sample log message:

    1. CEF format 

       

      Jul  7 03:04:56 10.16.6.4 CEF: 1|Virsec Security Platform|Virsec|1.3.0|32|LFI|10|EventId=VS-LFI-070720-A00266|Application_Name=IIS_PHP_Webgoat 7.3 Server_Name=Win26 Incident_Level=ATTACK Incident_Category=WEB_ATTACK Incident_Type=LFI Incident_Timestamp=07 Jul 2020 07:06:01 AM UTC Threat Level=ATTACK Malicious Input=[{"file": "C:\inetpub\wwwroot\WebGoatPHP\challenges\single\PathBasedAccessControl/files/accounts.txt"}] Attacker=10.16.4.50:60556 Event Source Name=CVE File Path=C:\inetpub\wwwroot\WebGoatPHP\challenges\single\PathBasedAccessControl/files/accounts.txt Session token id=dgs6ftd62au6kjtggvuf7m20ls UUID=2f95160699374706 HTTP Request=/mode/single/challenges/PathBasedAccessControl/ pid=5032 description=LFI category=Web Attack eventTime=2020-07-07 07:05:05 tid=2328

    2. CEF - Fixed Key Definition format

       

      Sep 10 23:17:31 10.16.9.105 CEF: 1|Virsec Security Platform|Virsec|1.4.0|32|LFI|10|EventId=VS-LFI-091120-A00120|cs1Label=Application_Name cs1=rhel67_webgoat_2 1 cs2Label=Server_Name cs2=Rhel67_webgoat_9_108 cs3Label=Incident_Level cs3=ATTACK cs4Label=Incident_Category cs4=WEB_ATTACK cs5Label=Incident_Type cs5=LFI cs6Label=Incident_Timestamp cs6=11 Sep 2020 03:17:07 AM UTC cs7Label=Threat Level cs7=ATTACK cs8Label=Malicious Input cs8=[{"File": "/opt/apache-tomcat-7.0.85/webapps/webgoat/lesson_plans/en/../../../examples/unsecure/no_extension"} cs9Label=Attacker cs9=10.16.9.21:35174 cs10Label=Event Source Name cs10=CVE cs11Label=File Path cs11=/opt/apache-tomcat-7.0.85/webapps/webgoat/lesson_plans/en/../../../examples/unsecure/no_extension cs12Label=Session token id cs12=D452E90BFDA08EDB1E91108192D974F0 cs13Label=UUID cs13=04afb10d-ddc0-46 cs14Label=HTTP Request cs14=POST /webgoat/attack cs15Label=pid cs15=27770 cs16Label=description cs16=LFI cs17Label=category cs17=Web Attack cs18Label=eventTime cs18=2020-09-11T03:18:02.002+05:30 cs19Label=tid cs19=23

 

REMOTE FILE INCLUSION

  1. Code: 33

  2. Brief Description: Remote File Inclusion

  3. Sample log message:

    1. CEF format 

       

      Jul 18 14:46:27 10.16.9.55 CEF: 1|Virsec Security Platform|Virsec|1.3.0|33|RFI|10|EventId=VS-RFI-071820-A00047|Application_Name=dotnet_2012_webgoat_job92 1.0 Server_Name=IIS85_Dotnet45_9_60 Incident_Level=ATTACK Incident_Category=WEB_ATTACK Incident_Type=RFI Incident_Timestamp=18 Jul 2020 06:45:59 PM UTC Threat Level=ATTACK Malicious Input=[{"ctl00$BodyContentPlaceholder$txtServiceUrl": "http://www.google.com"}] Attacker=10.16.9.21:34342 Event Source Name=CVE Remote Http Request=http://www.google.com Session token id=virsec08466e14156547c8baf36fd0f5 UUID=eaea4fec-0a29-42 HTTP Request=http://10.16.9.60:8180/Content/InjectionExercise.aspx pid=3640 description=RFI category=Web Attack eventTime=2020-07-18 18:45:59 tid=7

    2. CEF - Fixed Key Definition format

       

      Sep 10 23:11:50 10.16.9.105 CEF: 1|Virsec Security Platform|Virsec|1.4.0|33|RFI|10|EventId=VS-RFI-091120-A00115|cs1Label=Application_Name cs1=rhel67_webgoat_2 1 cs2Label=Server_Name cs2=Rhel67_webgoat_9_108 cs3Label=Incident_Level cs3=ATTACK cs4Label=Incident_Category cs4=WEB_ATTACK cs5Label=Incident_Type cs5=RFI cs6Label=Incident_Timestamp cs6=11 Sep 2020 03:11:25 AM UTC cs7Label=Threat Level cs7=ATTACK cs8Label=Malicious Input cs8=[{"conf": "http://www.google.com"} cs9Label=Attacker cs9=10.16.9.21:35120 cs10Label=Event Source Name cs10=CVE cs11Label=Remote Http Request cs11=http://www.google.com cs12Label=Session token id cs12=EDD3C82A7C124EF8C521859E19CD8C7B cs13Label=UUID cs13=0434aa4d-e262-42 cs14Label=HTTP Request cs14=GET /benchmark/rfi.jsp cs15Label=pid cs15=27770 cs16Label=description cs16=RFI cs17Label=category cs17=Web Attack cs18Label=eventTime cs18=2020-09-11T03:12:20.020+05:30 cs19Label=tid cs19=20

 

DOM XSS

  1. Code: 34

  2. Brief Description: DOM XSS

  3. Sample log message:

    1. CEF format 

       

      Jul 18 14:59:35 10.16.9.55 CEF: 1|Virsec Security Platform|Virsec|1.3.0|34|DOMXSS|10|EventId=VS-DOMXSS-071820-A00052|Application_Name=dotnet_2012_webgoat_job92 1.0 Server_Name=IIS85_Dotnet45_9_60 Incident_Level=ATTACK Incident_Category=WEB_ATTACK Incident_Type=DOMXSS Incident_Timestamp=18 Jul 2020 06:59:07 PM UTC Threat Level=ATTACK Malicious Input=[{"virsec_url": "http://10.16.9.60:8180/Content/domxsspopup.aspx#context=<script>alert('Test')</script>"}] Attacker=10.16.9.2:53184 Event Source Name=CVE Session token id=virsec75b5a05f07bd4bdb8e77ce4e7e UUID=9c03d890-2069-46 HTTP Request=http://10.16.9.60:8180/Content/domxsspopup.aspx#context=<script>alert('Test')</script> pid=3640 description=DOMXSS category=Web Attack eventTime=2020-07-18 18:59:07 tid=20

    2. CEF - Fixed Key Definition format

       

      Sep 10 23:20:29 10.16.9.105 CEF: 1|Virsec Security Platform|Virsec|1.4.0|34|DOMXSS|10|EventId=VS-DOMXSS-091120-A00150|cs1Label=Application_Name cs1=rhel67_webgoat_2 1 cs2Label=Server_Name cs2=Rhel67_webgoat_9_108 cs3Label=Incident_Level cs3=ATTACK cs4Label=Incident_Category cs4=WEB_ATTACK cs5Label=Incident_Type cs5=DOMXSS cs6Label=Incident_Timestamp cs6=11 Sep 2020 03:20:05 AM UTC cs7Label=Threat Level cs7=ATTACK cs8Label=Malicious Input cs8=[{"URL": ""http://10.16.9.108:8081/webgoat/start.mvc#name=<script>alert(String.fromCharCode(88,83,83));</script>""}, {"virsec_url": "#name=<script>alert(String.fromCharCode(88,83,83));</script>"},  cs9Label=Attacker cs9=10.16.9.21:35250 cs10Label=Event Source Name cs10=CVE cs11Label=Session token id cs11=88EE94A8B6954EC876D0591F92CE3E54 cs12Label=UUID cs12=9bc566ce-c083-4f cs13Label=HTTP Request cs13=GET http://10.16.9.108:8081/webgoat/start.mvc#name=<script>alert(String.fromCharCode(88,83,83));</script> cs14Label=pid cs14=27770 cs15Label=description cs15=DOMXSS cs16Label=category cs16=Web Attack cs17Label=eventTime cs17=2020-09-11T03:21:00.000+05:30 cs18Label=tid cs18=26

 

<< PREVIOUS   NEXT >>