LFI RFI ATTACKS
LOCAL FILE INCLUSION
-
Code: 32
-
Brief Description: Local File Inclusion
-
Sample log message:
-
CEF format
-
CEF - Fixed Key Definition format
-
REMOTE FILE INCLUSION
-
Code: 33
-
Brief Description: Remote File Inclusion
-
Sample log message:
-
CEF format
-
CEF - Fixed Key Definition format
-
DOM XSS
-
Code: 34
-
Brief Description: DOM XSS
-
Sample log message:
-
CEF format
Jul 18 14:59:35 10.16.9.55 CEF: 1|Virsec Security Platform|Virsec|1.3.0|34|DOMXSS|10|EventId=VS-DOMXSS-071820-A00052|Application_Name=dotnet_2012_webgoat_job92 1.0 Server_Name=IIS85_Dotnet45_9_60 Incident_Level=ATTACK Incident_Category=WEB_ATTACK Incident_Type=DOMXSS Incident_Timestamp=18 Jul 2020 06:59:07 PM UTC Threat Level=ATTACK Malicious Input=[{"virsec_url": "http://10.16.9.60:8180/Content/domxsspopup.aspx#context=<script>alert('Test')</script>"}] Attacker=10.16.9.2:53184 Event Source Name=CVE Session token id=virsec75b5a05f07bd4bdb8e77ce4e7e UUID=9c03d890-2069-46 HTTP Request=http://10.16.9.60:8180/Content/domxsspopup.aspx#context=<script>alert('Test')</script> pid=3640 description=DOMXSS category=Web Attack eventTime=2020-07-18 18:59:07 tid=20
-
CEF - Fixed Key Definition format
Sep 10 23:20:29 10.16.9.105 CEF: 1|Virsec Security Platform|Virsec|1.4.0|34|DOMXSS|10|EventId=VS-DOMXSS-091120-A00150|cs1Label=Application_Name cs1=rhel67_webgoat_2 1 cs2Label=Server_Name cs2=Rhel67_webgoat_9_108 cs3Label=Incident_Level cs3=ATTACK cs4Label=Incident_Category cs4=WEB_ATTACK cs5Label=Incident_Type cs5=DOMXSS cs6Label=Incident_Timestamp cs6=11 Sep 2020 03:20:05 AM UTC cs7Label=Threat Level cs7=ATTACK cs8Label=Malicious Input cs8=[{"URL": ""http://10.16.9.108:8081/webgoat/start.mvc#name=<script>alert(String.fromCharCode(88,83,83));</script>""}, {"virsec_url": "#name=<script>alert(String.fromCharCode(88,83,83));</script>"}, cs9Label=Attacker cs9=10.16.9.21:35250 cs10Label=Event Source Name cs10=CVE cs11Label=Session token id cs11=88EE94A8B6954EC876D0591F92CE3E54 cs12Label=UUID cs12=9bc566ce-c083-4f cs13Label=HTTP Request cs13=GET http://10.16.9.108:8081/webgoat/start.mvc#name=<script>alert(String.fromCharCode(88,83,83));</script> cs14Label=pid cs14=27770 cs15Label=description cs15=DOMXSS cs16Label=category cs16=Web Attack cs17Label=eventTime cs17=2020-09-11T03:21:00.000+05:30 cs18Label=tid cs18=26
-