(IJCNS) International Journal of Computer and Network Security, 67 Vol. 1, No. 1, October 2009 Evidence Gathering System for Input Attacks Deepak Singh Tomar1, J.L.Rana 2 and S.C.Shrivastava3 1 Faculty, Department of Computer Science and Engineering, Maulana Azad National Institute of Technology (MANIT) Bhopal, India email@example.com 2 Faculty, Department of Computer Science and Engineering, Maulana Azad National Institute of Technology (MANIT) Bhopal, India firstname.lastname@example.org 3 Faculty, Department of Electronics, Maulana Azad National Institute of Technology (MANIT) Bhopal, India email@example.comAbstract: In cyber forensic web server logs are an important input attack is occur when user input exceeds maximumsource for evidence gathering. The user navigation activities on buffer size and extra input goes into unexpected memoryweb site are recorded in the web server log file. The attacker locations. In this input attack an attacker insert larger stringexploits web form as an entry point for input attacks like SQL which may is not accommodate by memory buffer andinjection, cross site scripting and buffer overflow attack on web overflow is occurred. In this way it is easy to crash the webapplication. The web server log does not keep track of the application by overflowing a buffer. Instead of crashing webinformation filled by the end user/attacker in the web form. In this server attacker is more interested to transfer the control to awork a prototype system is developed to demonstrate the inputattacks and to log the suspicious code (SQL or Script code) fired suspicious attacker code which may harm the system. by attacker to carry out the input attacks to the web applicationthrough HTTP. 2. Challenges Limitation of barrier defense (Firewall):- HTTP is Keywords: cyber forensic, input attack, web server log, considered as a “friendly” traffic by firewall. Generallyevidence gathering. firewall solutions are ineffective for web application security. The firewall itself is immune to penetration. URL1. Introduction Interpretation attacks, Input Validation attacks, SQL Query Poisoning and HTTP session hijacking can not be preventedThe input attack is carried out by the suspicious user via by firewall. Firewall is used for direction control; serviceentering vulnerable code into the web form or address bar of control, user control and behavior control filter web browser.SQL injection, Cross-site scripting (XSS) and buffer Missing evidence data in web server log: - Web server logsoverflow are computer security vulnerabilities found in web are an important source of gathering evidence againstapplications which allow attacker to inject Script / SQL / attacker but it is difficult to discern what truly happenedValues into available web form. SQL injection is a code from web logs alone. Web logs may not show if an attackinjection technique that exploits a security vulnerability was successful, what happened after an attack and the extentoccurring in the database layer of an application. In the SQL of the attack. In order to discover and understand aninjection input attack the attacker is inserted arbitrary data, attempted web application attack, cyber forensic expert firstmost often a database query, into an available search form need to gather all the clues from the crime scene. Collectingthat’s eventually executed by the database. The inserted these “digital fingerprints” left by the reckless hackerquery by attacker may impair the database by retrieving requires that all of the following data fields are available, forunauthorized data, altering the sensitive data or erasing the everydata. Both SQL injection and Cross-site scripting (XSS) are HTTP request:the problems of poor web application programming. This - Dateform of SQL injection occurs when user input is not filtered - Timefor escape characters and is then passed into an SQL - Client IP Addressstatement . - HTTP Method - URICross-site scripting (XSS) attacks occur when a web server - HTTP Querygathers data from a user through web form. A suspicious - A Full Set of HTTP headersuser may insert tricky java script / VB script code into - The full request bodyavailable web forms which may read and display the current Some of this data can be extracted from files such as the webcookie values or redirect the user to another Web site.  server or application server log files, but unfortunately, the most crucial data is unavailable through these sources. MostIn computer buffer memory has a fixed maximum size and web and application servers do not grant access to HTTPis used to store the input data by end user .Buffer overflow information such as the full set of HTTP headers and the
68 (IJCNS) International Journal of Computer and Network Security, Vol. 1, No. 1, October 2009request body. Without those fields many log entries look 3. Environmental setup and Experimentalalike, and the person conducting the forensics will not be Result.able to distinguish between valid requests and lethal webapplication attacks . Experiment environment include a Microsoft Internet Information Server (IIS), attacker’s computer and a forensicFollowing code is the example of ““invisible data computer on Institute intranet. ( Figure – 2 )in HTTP POST request” problem<FORM NAME = M1 METHOD=POSTACTION=rdata.asp>Enter login<INPUT TYPE=TEXTBOX NAME=”tname” >Enter Password<INPUT TYPE=PASSWORD NAME=”tpass” ><INPUT TYPE="SUBMIT" VALUE=”send data”></form>Following is an entry of Microsoft IIS log file format2009-09-30 00:15:08 192.168.1.8 - W3SVC1 DEEPAK192.168.1.4 80 GET /xss1/postprob.asp - 200 0 426 372 594HTTP/1.1 deepakMozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) - -All HTTP headers sent by the client. Always prefixed with Figure 2: Environmental SetupHTTP_ and capitalized is an actual request capturing HTTPheader shown in Figure 1Figure 1: Cross side Scripting attack redirecting the control of web site to Hacking ZoneSome of the important data are missing in the log entry. In The environment setup is created using ASP, Jscript andthe web application forensic investigation forensic expert MSACCESS used as database, which is vulnerable to Inputwill surely fail to recognize that this request is an input attacks. Some attacks such as Cross Side Scripting andattack by inserting the suspicious data by an attacker into SQL injection are performed in this environment to generateweb form. attacker scenario.
(IJCNS) International Journal of Computer and Network Security, 69 Vol. 1, No. 1, October 2009Cross side scripting attack is shown in the Figure 3; When submit button is pressed the control is redirected toattacker simply inserts following java script code, hack.html<script>document.location="hack.html"</script>Figure 3: Cross side Scripting attack redirecting the control of web site to Hacking Zone SELECT * from my_employee where scode =SQL injection attack is shown in the Figure 4 in the normal “17” or “a”=”a”;situation user enters his secret code and relevantinformation is displayed based on content based filtering. If Selects all information stored in the my_employee table.a suspicious user (attacker) types in secret code field Which is an attack on privacy17 or a=a As discussed in this paper these attacks using input vulnerability of web application are not recorded in theThis manipulates the server into running the following SQL Microsoft IIS log file. As attacker insert the script / SQL incommand: the web form to conduct input attack it is stored in the developed logging system and is used for gathering evidence. Figure –5 show the log entry of developed systemFigure 4: SQL Injection Attack, providing the attacker with all of the information stored in the my employee table
70 (IJCNS) International Journal of Computer and Network Security, Vol. 1, No. 1, October 2009Figure 5: log generated from developed system showing the normal entry 100 and also show the attacker input string or4. Conclusion and Future Work Cyber forensic relies on Web server log events forsearching evidence. Web server log files capture the  “wilkipedia,” [Online]. Available:behavior of the web server but not the behavior of the http://en.wikipedia.org/wiki [Accessed: Sep.15,attacker or end user. In this paper a log based evidence 2009]..gathering system is design and implemented for intranet  “Foundstone,” [Online]. Available:environment. The developed system also demonstrates the http://www.foundstone.com [Accessed: Sept.17,impact points for an input attack scenario that are of prime 2009]..importance for a forensic investigator. The results areencouraging and authors were able to successfully trace the Deepak Singh Tomar M.Tech & B.E. ininput attacks from the developed log based system. The Computer Science & Engg. and working asdeveloped system primarily gathers evidences for SQL Assistant Professor Computer Science &injection and Cross side scripting (XSS) attacks. The system Engg. Department. Total 14 Years Teachinghelps the forensic expert to gather the important evidences Experience ( PG & UG ). Guided 16 M.Techfrom the developed log file that was missing in the Thesis.conventional flat web server log files. The future work shallfocus on securing the web server logging system and to Dr. J. L . Rana Professor & Head of in Computer Science & Engg. PhD. IIT Mumbaiimprove the structure of web server logs. M.S. USA (Huwaii) . Guided Six Ph.D.References  Karl Scheibelhofer. “SQL Injection Database Security Invalid Input Data”, [Online]. Available: Dr. S. C. Shrivastava Professor & Head of http://www.scribd.com/doc/20856931/L3-SQL- Electronics . Guided three Ph.D , 36 Injection-Invalid-Input-Data [Accessed: Sep 01., M.Tech .Presented nine paper in 2009]. international & twenty papers in national  Web Application Forensics: The Uncharted Territory conference in India By Ory Segal, Sanctum Security Group (www.SanctumInc.com) 2002 [Online]. Available www.cgisecurity.com/lib/WhitePaper_Forensics.pdf [Accessed: Sep.10, 2009].