It's important for the exam that you can recognize the ways that websites and in particular web apps are attacked. So in this episode, what I want to do is cover. Well, basically, if you've been following along in the series, I've got a whole other episode called attacking applications. And everything that is in there also works for web apps as well. So I just want to add to that a little bit, some very specific type of attacks that are unique to websites and web apps. So with that understanding, if you're going to recognize an attack, you need to be able to read log files.
And the exams are going to challenge you on your ability to read log files. Now luckily for us, any good web app is going to have tons and tons of log files. But the first one I want to talk about right now is the common log format, the CLF. Now these are the standard types of logs that every single type of web server generates. They all generate it in the same format. So let's go through one of these real quick to make sure you understand common long format.
Here is a very specific line of a log from a common log format web server. So now if you take a look at this, there's a few things you absolutely need to be able to recognize. So just going from left to right, first of all, you're going to see either an IP address in this case, we got 127, dot zero dot zero dot one, but it could also be a fully qualified domain name. And that's basically who is talking to this web server right now. Your next two, and I just show them as dashes, because they're pretty uncommon. These are different ways to do authentication within HTTP, not HTTPS.
This is kind of old school stuff. It's not used very often anymore. So let's skip those next two dashes. They're known equally as ident, which is the identity check. And the second one is called authorized user, but again, they're not used that often. Okay?
Next one is the date and time. And I'm hoping you can read that and pretty much figure out the date, and then the time, and then that little dash on the end. That's just the offset from Greenwich Mean Time. Okay, the next one's the big one. This is actually the request or whatever is coming in from the client. This is the data payload.
In this case, we can take a look at this and see this is just a simple HTTP GET command that's asking for a GIF file. So that's the GIF file itself. And then the next two values are first of all that 200 shows everything's okay. It sent it the GIF file, everything's good, and the actual bite size of that payload itself. Now, common log format is important and you need to be comfortable with that format for the actual exam itself. Now, the next thing I want to talk about are other types of logs you might run into.
Now I've got a web app that I use here at total seminars. And this web app works underneath a control panel tool called cPanel. At Very popular, it's been around forever. And cPanel can actually phone home, send me emails, it can do a lot of different stuff. I've got mine configured to send me emails, whenever something that is scary looking shows up. So let me show you an example email that I get from my cPanel applet.
Now I've taken a lot of stuff out. But this is the actual email that I've got from my cPanel applet something's going on that it doesn't like. So if you take a look here, there's a lot of good information. So I get process IDs here up at the top. I know what account is that has logged in to my cPanel applet in this case, it's just an administrative account. Now it's going to show me what's interesting.
So it's telling me that an executable has been run, but it's asking very, very interesting stuff. It's trying to run something called run call PHP. And last, it shows me if there's a network connection on it, in this case, the network connection. Now you have to read these. Notice that it's the same IP address. Somebody is working locally on The server itself, and they are running this program for one reason or another.
Now that we're comfortable with logs, I want to talk about two very specific types of attacks that are going to be unique to websites, web applications, that's going to be cross site scripting, or XML injection. Now, both of these are kind of like injection attacks, where somebody tries to put in some extra information into an HTTP request to do something naughty. Now, they're going to do this one of two ways. Number one, they're actually going to go into a form or something like that and try to add that extra information. They might have a malicious add on that they've intentionally installed on their web browser to type in extra information. They could do it that way.
But more often than not, you're going to see tools like I've got a picture of one right here. This is x accessor. And this is on my Kali Linux box. And this tool is designed to simply go to a website and try to do both cross site scripting and XML injection attacks. Okay, so understanding how people do this stuff, let's talk about each one of these. And I'd like to start with cross site scripting, cross site scripting.
And we usually just show it as xx x is when somebody tries to get another person to run a script from another site. So what we're going to do is let's take a look into a particular log file, and we get something that looks like this. So we could say this is coming from a forum or something. However, the website sees that they're trying to enter this kind of data now, depends on the field. Let's just say this is a last name field. And all of a sudden we're seeing all this script information.
You're also going to notice that there's a source that is from a different website. That is a very strong clue of cross site scripting. xml injection simply means to insert XML information that shouldn't be there. So what I want to do now is let's take a look at This one particular command here. So in this particular case, we've got a form that's being generated from this website. And this form asked for a username and see it says, Mike, it's got a password.
It's pretty weak password. There's a voucher in here, it looks like they're buying a voucher off of my website, there's a price here of $450. Don't worry, they're not really that expensive. And then an email address. So what we're looking at is form data that is being set up in just such a way so somebody can get this information. Now, let's just say for a minute that people don't actually type in the price that they're going to pay, they just pick a particular product, and then the price is filled in automatically.
But what if they had a tool that would allow them to change this XML information, where they could go ahead and just insert $50 instead of $450. Without any other type of control, they're going to get themselves a very cheap voucher. The big takeaway is Need you to get from this episode is that you need to be comfortable reading log files. Luckily for us, any web server, any website, any web app is going to come with plenty of log files. And if you take the time and read them, you should be able to easily recognize XML and cross site scripting. Also, keep in mind that these are still applications even though they're web applications.
So you might want to review my attacking applications and see if there's anything in there that might come into play. You never know when you're going to get a buffer overflow.