WEB APPLICATION FORENSICS
What is Web Application Forensics?
Web application forensics involves tracking back a security attack that occurred on any web application to identify its origin, and how it was penetrated. This process also includes the collection and analysis of logs and configuration files associated with the web server, application server, database server, system events, etc. to determine the cause, nature and perpetrator of a web attack.
Challenges in Web Application Forensics
- Due to distributed nature of web applications, traces of activities are recorded across numerous hardware and software components.
- Very limited or no downtime is allowed for investigation.
- Requires the analysis and correlation of huge volumes and logs.
- Requires complete knowledge of different web servers, application servers, databases and underlying applications.
- Tracing back is difficult in case of reverse proxies and anonymizers.
Indicators of Web Attack
- Unable to access.
- Suspicious activities in user accounts.
- Leakage of sensitive data.
- URLs redirecting to incorrect websites.
- Webpage defacements.
- Unusually slow network performance.
- Frequent rebooting of the server.
Threats in Web Application
- Cookie Poisoning.
- SQL Injection.
- XSS.
- CSRF.
- DoS/DDoS.
- Broken Authentication.
- Information Leakage.
- Buffer Overflow.
- Log Tampering.
- Directory Traversal.
- Broken Access Control.
- Improper Error Handling.
- Security Misconfiguration.
- Un-validated Inputs.
Investigation Methodology
- Conduct individual interviews to obtain information.
- Locate servers or other devices involved in the security attack, take them offline, and perform seizure in a forensic manner.
- Follow the process of forensic image acquisition and duplication.
- Collect logs from the web server, application server, database server, web application firewall, local system events, SIEM tool, and IDS, along with application and server configuration files.
- Use encryption and checksum to verify and protect the integrity of log files.
- Analyze the working copies of collected logs to look for suspicious entries and correlate the data to build a chain of events unfolding the whole attack scenarios.
- Trace the attacking IP to identify the perpetrator of the attack.
- Document every step of the investigation.
Collecting & Analyzing IIS Logs
IIS stands for Internet Information Services, is a windows server which is flexible, secure and easy-to-use/manage web server for hosting anything on the web. IIS stores all the information about the server visits in the log files. All the logs which IIS generates are ASCII text-based log files.
- IIS logs provide useful information regarding the activity of various web application.
- Data like client IP address, username, date & time, request time, etc. can be gathered from IIS logs.
- Log files can be fetched from %SystemDrive%\inetpub\logs\LogFiles.
Collecting & Analyzing Apache Web Server Logs
Apache is a web server that supports many OSs, such as Unix, GNU, FreeBSD, Linux, Windows, macOS etc. Apache web servers generates two types of logs and they are: Access Logs & Error Logs. Apache web server logs provide information about web application activities, such as the following:
- IP address of the client machine.
- ID of the client machine.
- User ID of the client.
- Date & Time.
- Request line from the client.
- Status Code.
- Size of the object returned to the client.
Apache Access Logs contains requests processed by the Apache server. The default locations for access logs:
- RHEL/Red Hat/ CentOS/Fedora Linux -> /var/log/httpd/access_log
- Debian/Ubuntu Linux -> /var/log/apache2/access.log
- FreeBSD Linux -> /var/log/httpd-access.log
Apache Error Logs contains the information regarding the errors handled by the Apache web server.
- Common location -> /var/log/apache2/error.log
Collecting & Analyzing Windows Server Logs
Windows server logs can be viewed or collected from Event Viewer. The suspicious events to be checked are:
- Event log service is not working.
- Windows file protection is inactive.
- Microsoft Telnet service is running.
- System has failed login attempts or locked-out accounts.
Other tools which can be used to analyze Windows server:
- net view <IP ADDRESS> -> review file shares.
- net session -> verifying the users.
- net use -> checks session have opened with other systems.
- nbstat -S -> analyze NetBIOS over TCP/IP activity.
- netstat -na -> finds if TCP & UDP ports have unusual listening.
- schtasks.exe -> scheduled tasks.
- lusrmgr.msc -> creation of new accounts in the admin group.
- taskmgr -> task manager.
- net start -> unusual network services.
Investigating Various Types of Attacks in Web Application
- Use regex search to find HTML tags, XSS signature words, hex equivalents in Web, IDS, SIEM logs, etc.
- Use regex searches like ‘ , — , = , ; etc. for SQLi.
- Go through the log file for unencrypted (HTTP) requests and responses.