Transcription
I. J. Computer Network and Information Security, 2015, 3, 10-17Published Online February 2015 in MECS (http://www.mecs-press.org/)DOI: 10.5815/ijcnis.2015.03.02Forensics Investigation of Web ApplicationSecurity AttacksAmor Lazzez, Thabet SlimaniCollege of Computers and Information Technologies, Taif University, Kingdom of Saudi ArabiaEmail: a.lazzez@gmail.com, thabet.slimani@gmail.comAbstract—Nowadays, web applications are populartargets for security attackers. Using specific securitymechanisms, we can prevent or detect a security attack ona web application, but we cannot find out the criminalwho has carried out the security attack. Being unable totrace back an attack, encourages hackers to launch newattacks on the same system. Web application forensicsaims to trace back and attribute a web application securityattack to its originator. This may significantly reduce thesecurity attacks targeting a web application every day,and hence improve its security. The aim of this paper is tocarry out a detailed overview about the web applicationforensics. First, we define the web applications forensics,and we present a taxonomic structure of the digitalforensics. Then, we present the methodology of a webapplication forensics investigation. After that, weillustrate the forensics supportive tools for a webapplication forensics investigation. After that, we presenta detailed presentation of a set of the main consideredweb application forensics tools. Finally, we provide acomparison of the main considered web applicationforensics tools.Index Terms—Web application,Forensics Investigation.SecurityAttack,I. INTRODUCTIONWith the continuous evolution of the development andnetworking technologies, Web applications become afundamental mean of information transmission andmanagement in government agencies, enterprises andindividuals. Actually, nowadays, the web technologyunderlies the majority of recent network applications suchas the e-commerce, e-banking, e-learning, e-medicine, email, etc. Being deployed in various critical sectors as themarketing, the trading, and the banking areas, the webapplications become popular targets for security attackers.Moreover, the variety of dependencies upon which a webapplication relies multiplies its vulnerabilities [1, 2].These dependencies include the network infrastructure,the web server, the database servers, the web browsers,and the operating systems upon which servers areinstalled [3]. Fig.1 shows the interactions between thedifferent components of a web application and showswhere vulnerabilities may affect a web application.The above presented analysis shows that webCopyright 2015 MECSapplications constitute a motivating environment forattackers to perform security attacks. This involves thedevelopment of various methods to perform a securityattack on a web application. The famous are: Cross-SiteScripting, SQL injection, Code Injection, and BufferOverflow [1]. As long as web applications constitute themost important mean of data communication over theInternet, different techniques have been developed toprotect web applications against hackers. Firewalls andsystems’ security patching are used for attack prevention;intrusion detection systems and antivirus are used forattack detection [1, 4].Based on the proposed attack detection schemes, wecan detect that a web application has been attacked, but itis hard to find out the criminal who has carried out thesecurity attack. Being unable to trace and follow up ahacker, attackers may always conceal themselves andlaunch new attacks. Therefore, it is crucial to build thecapability to trace and attribute attacks to the real cybercriminals, which may significantly reduce the attacks weface every day.Tracing back a security attack on a web application inorder to identify, where an attack has been originated,how it was propagated, and what computer(s) andperson(s) are responsible refers to as web applicationforensics [5, 6, 7]. Dealing with security attacks on webapplication, the web application forensics constitutes aspecific branch of the digital forensics that deals withcyber criminals in general [8, 9].To trace back a security attack on a web application, aforensics investigator relies on the fingerprints (digitalevidences) left by the hacker on the crime scene, andwhich are recorded in the different configuration and logfiles of the various components upon which relies theweb application [3, 9, 10]. The digital evidences neededto investigate a web application attack may be gatheredform one of the following files: web server(s) andapplication server(s) logs, server side scripts which areused by the web application, web server(s) andapplication server(s) configuration files, any third partyinstalled software logs, and the operating system logs [9,10].While the above mentioned files constitute the mainsource for digital evidences collection, they sometimeslack data needed to conduct a forensics investigation of agiven security attack [9, 10]. To overcome this issue,supportive forensics tools should considered to help thecollection of the needed digital evidence that cannot beI.J. Computer Network and Information Security, 2015, 3, 10-17
Forensics Investigation of Web Application Security Attacksoffered by the logging options of a web application. Arequired digital evidence may be provided by a networkor an operating system forensics tool or by a web11application forensics tool offering extra logging facilities[9, 10].Fig.1: Web Application ArchitectureTo effectively perform web application forensics,several techniques have been proposed to help anefficient management of the different sources of digitalevidences. Referred to as web application forensics tools,these techniques provide an efficient analysis of the datathey contain. Microsoft LogParser, EventLog Analyzer,Pyflag, Http-analyze, Analog, Open Web Analytics,Mywebalizer, CORE Wisdom, Logjam, Sawmill, andLire are examples of the main tools used investigate aweb application security attack [3, 9, 16-25]. In additionto the use of a specific forensics tool, following astandard methodology is crucial for a successful andeffective forensics investigation of a web applicationsecurity attack [9, 10].The aim of this paper is to carry out a detailedoverview about the web application forensics; a topic thataims to improve the security of web applications throughthe tracking and persecution of hackers. First, we definethe web applications forensics, and we distinguish thedifferent branches of the digital forensics. Then, wepresent the methodology that should be followed to help asuccessful accomplishment a forensics investigation of aweb application security attack. After that, we provide adetailed presentation of a set of techniques proposed tohelp a successful accomplishment of a forensicsinvestigation of a hacked web application. Finally, weprovide a technical comparison of the main consideredweb application forensics tools.The remaining of this paper is organized as follows.Section 2 defines the web application forensics anddistinguishes it from the other branches of the digitalforensics. Section 3 presents a general methodology of aforensics investigation of a web application securityattack. Section 4 provides a detailed overview about theCopyright 2015 MECSmain web application forensics tools. Section 5 concludesthe paper.II. WEB APPLICATION FORENSICSWeb application forensics aims to trace back andattribute a security attack on a web application to itsoriginator [5-7]. Dealing with security attacks on webapplication, the web application forensics constitutes aspecific branch of the digital forensics that deals withcyber criminals in general [8-9]. In addition to webapplication forensics, digital forensics incorporates otherbranches such as Operating System Forensics, DigitalImage Forensics, and Network Forensics [8-9].Web Application Forensics aims to trace back andattribute a security attack on a web application to itsoriginator. To trace back a security attack, webapplication forensics mainly relies on the analysis of thelog files of the different components of a web application(web browser, web server, database servers, applicationserver) [3, 10]. Web application forensics does not matterwith the analysis of network level protocols andcomponents which is in the focus of Network Forensics[6, 9]. Yet, examining the log files of the network levelequipments (IP Routers, IP Switches, Intrusion detectionsystems, Firewalls, etc.) may be helpful for theaccomplishment of a web application forensicsinvestigation. Therefore, a web application forensicsinvestigator should consider the supportive function ofthe network forensics tools towards a successfulinvestigation of a security attack on a web application.The operating system forensics deals with the analysisof system log files towards the investigation of a systemI.J. Computer Network and Information Security, 2015, 3, 10-17
12Forensics Investigation of Web Application Security Attacksalteration [8]. Whereas, the digital image forensicsconsiders the image manipulations [8]. As the networkforensics tools, the operating systems and digital imageforensics tools constitute an appropriate support for asuccessful deployment of a web application forensicsinvestigation [7-9].At last, we should note that the web applicationforensics does not deal explicitly with security attacks onweb services [8-9]. The forensics investigation of asecurity attack on a web is covered the Web ServicesForensics; another branch of the digital forensics thatshould be discerned from the web application forensics.Given that the web applications and web services are bothparts of the Cloud-Computing concept which refers to theInternet based applications and services, the authors in [9,11, 26] define the Cloud-computing Forensics; a novelbranch of the digital forensics which integrates the webapplication forensics and the web services forensics.Fig.2 presents the taxonomic structure of the digitalforensics as it is presented in [9, 11]. The figureillustrates that the digital forensics (DF) is subdividedinto four branches to know, the network forensics (NF),the operating systems forensics (OSF), the digital imageforensics (DIF), and the cloud-computing forensics(CCF). The cloud-computing forensics (CCF) is in itsturn decomposed into two sub-branches: the webapplication forensics (WAF), and the web servicesforensics (WSF).III. FORENSICS INVESTIGATION OF A WEB APPLICATIONSECURITY ATTACKA successful forensics investigation relies on apreliminary analysis phase and needs to follow a standardmethodology [7, 9, 10, 12, 13]. In the followingsubsections, we first present the preliminary actions ment of a web application forensicsinvestigation. Then, we present the steps that should beflowed by a forensics investigator to conduct a thoroughanalysis of the hacking attempt. Finally, we illustrate hownetwork, digital image, and operating systems forensicsmay support the achievement of a web applicationforensics investigation through the provision of furtherevidence.A.Preliminary AnalysisThe following preliminary actions are required for asuccessful forensics investigation of a security attack on aweb application [7, 9, 12, 13]:Application Forensics Readiness: The web applicationshould be well prepared for a forensics investigation. Thisis may be reached by:Evidence collection: To prepare a web application foran eventual forensics investigation, it is highlyrecommended to enable the logging options to collect themaximum of digital evidences. If the logging options areleft at the default settings, the evidence collection will beincomplete and the application will not be ready for aforensic investigation.Copyright 2015 MECSEvidence protection: given that the log files willconstitute the main source of digital evidence to performa forensics investigation, it is crucial to protect these filesto ensure the integrity of the data they contain, and henceguarantee the accuracy of the digital evidences theyprovide. The following actions may be considered toprotect the log files:--Setting the proper permissions to the log files.Keeping the log files out of the hacker’s reach.This can be done by using some sort of backuputility, which will save the log files on a remoteserver.Using some sort of checksum in order to verify thelog files integrity.Supportive forensics: The forensics readiness of a webapplication ensures the collection of the maximum ofdigital evidence. But, it does not guarantee the existenceof all digital evidences required by a forensicinvestigation. Therefore, supportive forensics toolsshould be used to help the collection of the needed digitalevidence that cannot be offered by the logging options ofa web application. A digital evidence required to performa forensic investigation of a web application securityattack may be provided by a network or an operatingsystem forensics tool or by a third party offering extralogging facilities. More details about web applicationsupportive forensics are presented in section IV.Forensics investigator abilities: the forensicsinvestigator should--B.Have a good understand of web application:architecture, components, intended applicationflow, etc.Have a good understand of the security issues ofweb applications: vulnerabilities, security attackmethods, etc.Well trained for forensics investigation.MethodologyFollowing a standard methodology is crucial toperform a successful forensics investigation of a webapplication security attack. In order to conduct a thoroughanalysis of a web application security attack, a forensicsinvestigator should follow the following methodologysteps [7, 9, 10, 12]:1. Protect the web application (could be several servers)during the forensic examination to prevent anymodification of the evidence files.2. Discover all files needed for the forensicsinvestigation. This includes:-Web server(s) and application server(s) logs.Server side scripts which are used by the webapplication.Web server(s) and application server(s)configuration files.Any 3rd. party installed software log files.I.J. Computer Network and Information Security, 2015, 3, 10-17
Forensics Investigation of Web Application Security Attacks-13Operating system log files.Fig.2: The Taxonomic Structure of the Digital Forensics3. Perform a forensics analysis of the considered files todetermine the sequence of events and the degree ofcompromise. During this step, the forensicsinvestigator should divide the log files according touser sessions, which may give better understanding ofthe session flow and timeline, and remove noisecreated by other users in the log files. During theanalysis of a user session flow, the forensicsinvestigator should be alerted by any of thefingerprints of a web application security attack. Thefollowing are examples of fingerprints and patternsleft by web application hacking attempts:-Unusual entries in the Logs (GET requests to ASPpages which normally receive POST requests).Script abuse (CMD.exe, Root.exe, Upload. ASP).Excessive attempts from the same IP address.Unusually long processing times (SQL Injectionattempt)Files created or modified around the time of thesuspected attack.Etc.4. Prepare a report based on the data extracted from theweb application.5. Recommend post event actions.C.IV. WEB APPLICATIONS FORENSICS TOOLSGiven the huge amount of the logged data that need tobe examined during a web application forensicsinvestigation, automated tools have been proposedtowards a successful deployment of the web applicationforensics [3, 7, 9, 10, 16-25].In the following subsections, we first present the mainrequirements for a web application forensics tool. Then,we present a brief overview of the most important webapplication forensics tools. Finally, we present acomparison of the presented web application forensicstools.A.Supportive ForensicsThe aim of this subsection is to show how networkforensics, digital image forensics, and operating systemsforensics may support the achievement of a webapplication forensics investigation through the provisionof further evidence [9]. Actually, the log data derivedfrom an intrusion detection system may help a moreCopyright 2015 MECSaccurate detection of an intruder's activities on a webapplication [6, 9]. Moreover, the forensics investigationson digital images uploaded to a compromised webapplication may, in some case, assist the attribution of theintrusion to its originator [7, 9]. Finally, we should alsonote that the digital evidence collected from the cachememory of a hacked web application server, that has notbeen restarted during or after the attack scenario may behelpful to perform a successful forensics investigation ofthe considered attack even in the case of the lack ofsufficient digital evidence in server’s log files [9, 14].Requirements for a web application forensics toolA detailed presentation of the main requirements for aweb application forensics tool is presented in [9, 15]. Thefollowing are the basic requirements of a web applicationforensics tool:-Analyze log files in different formats.I.J. Computer Network and Information Security, 2015, 3, 10-17
14Forensics Investigation of Web Application Security AttacksB.Take two independent and differently formattedevidence files and combine them.Handle big log files.Utilize regular expressions and binary logic on anyobserved parameter in a log file.Perform normalization by time to consider aproper investigation on time-stamps.Maintain a list of suspicious requests, whichshould indicate a potential compromise.Utilize, decoding of URL data so that, it can besearched easier in readable format.Web Application Forensics ToolsIn the following subsections, we present a briefoverview of the most important web application forensicstools: Microsoft LogParser, EventLog Analyzer, Httpanalyze, Pyflag, Analog, Open Web Analytics,Mywebalizer, CORE Wisdom, Logjam, Sawmill, andLire[3,9, 16-25].Microsoft LogParser: Developed by Microsoft,LogParser [3, 9] is a flexible command line utility thatprovides universal query access to text-based data such aslog files (web server log files, DNS log files, HTTP errorlog files), XML files, W3C files, TSV files and CSV files,as well as key data sources on the Windows operatingsystem such as the Event Log, the Registry, the filesystem, and Active Directory. Logparser produces outputin standardized formats such as CSV, TSV, XML, Syslog,W3C, IIS, SQL, and non-standard formats, which requireeither immediate presentation or include graphical outputsuch as DATAGRID, CHART and NAT. Logparser doesnot provide a graphical user interface, but providesfunctionality through a command line invocation byscript, or through a direct manipulation of queries byprompt interface. For a more convenient use of theLogparser tool, two programs that provide graphical userinterface and graphical outputs have been developed;Logparser Lizard and Visual Logparser. The Logparserlanguage includes a set of functions that perform stringmanipulation, arithmetic operations, and provide accessto system details. Each of these functions can modify ormanipulate the content of fields in some manner. The logfile conversion capabilities of Logparser help theadaptation of log files to queries for performing analysisincluding correlation. For correlation, Logparser has thecapability of combining the data from multiple sources,and then performs queries upon it. Logparser has beenused to monitor user activities, monitor system fileintegrity, check for SQL injection attacks, check forexcessive failed logon attempts, determining maliciousmodification, identification of brute force attacks, andreconstructing intrusions. As a limitation of this tool,Logparser does not include methods of analysis, only thestrength to perform the queries. The user must createuseful queries to satisfy any analysis requirements.EventLog Analyzer: Eve
they contain. Microsoft LogParser, EventLog Analyzer, Pyflag, Http-analyze, Analog, Open Web Analytics, Mywebalizer, CORE Wisdom, Logjam, Sawmill, and Lire are examples of the main tools used investig
