Detecting Web Attacks Writeup

Overview

This room explores web attacks and detection methods through log and network traffic analysis, covering client-side and server-side attacks.

Task 1: Introduction to Web Attacks

1.1 What class of attacks relies on exploiting the user's behavior or device?

1.2 What is the most common client-side attack?

Task 2: Server-Side Attacks

2.1 What class of attacks relies on exploiting vulnerabilities within web servers?

2.2 Which server-side attack lets attackers abuse forms to dump database contents?

Task 3: Analyzing the Logs

3.1 What is the attacker's User-Agent while performing the directory fuzz?

3.2 What is the name of the page on which the attacker performs a brute-force attack?

3.3 What is the complete, decoded SQLi payload the attacker uses on the /changeusername.php form?

Task 4: Practical Analysis

4.1 What password does the attacker successfully identify in the brute-force attack?

4.2 What is the flag the attacker found in the database using SQLi?

Task 5: Detection and Prevention

5.1 What do WAFs inspect and filter?

5.2 Create a custom firewall rule to block any User-Agent that matches "BotTHM".

Lessons Learned

• Client-side attacks target user behavior and devices rather than servers
• XSS (Cross-Site Scripting) is the most common client-side attack
• Server-side attacks exploit web server vulnerabilities directly
• SQL injection allows attackers to dump database contents through form abuse
• Directory fuzzing tools like FFUF can be identified by their User-Agent strings
• Brute-force attacks often target login pages like /login.php
• SQL injection payloads commonly use techniques like ' OR '1'='1 to bypass authentication
• Weak passwords remain a significant security vulnerability
• SQL injection can be used to extract sensitive data including flags
• Web Application Firewalls (WAFs) inspect and filter incoming web requests
• Custom firewall rules can block specific User-Agent patterns