Web application security - the fast guide 1.1 | Page 153

Chapter 7 - Attack execution ( 3 ) P a g e | 153
7.11.1 Web Server Logs
Web server logs are considered the most important log file for web application security , most web servers use the CLF ( common Logging format ) specification which depends on storing each HTTP request information in a separated line where each line is composed of the following parts parted by spaces ( host , ident , authusr , date , request , status , bytes ) when the value of a specific part is missing it will be substituted by a hyphen .
� host : stands for the fully qualified domain name of the client , or its IP address .
� ident : stands for the identity information reported by the client . ( this only active when IdentityCheck directive is ON and client runs identd ).
� authuser : specifies user name if the requested URL required a successfulbasic HTTP authentication . � date : The date and time of the request . � request : The request line from the client , enclosed in double quotes (") � status : The three digit HTTP status code returned to the client . � bytes : The number of bytes in the object returned to the client , excluding all HTTP headers .
7.11.2 Escape logging :
Lot of web server tends to ignore logging requests with long URLs to prevent Denial of service attacks through log file . Once again in this scenario a defense mechanism becomes a tool in the hands of attacker , it will be sufficient for attacker to craft a request with a length that exceeds 4,097 ( which is the limit for IIS and Sun-one web servers ) characters to avoid being logged so an SQL injection attack can be executed simply with no tracks by adding extra additional fake parameters and parameters value to reach that length noting that this