Table-1 Interpretation table for positive results. Test. Biochemical Reaction. Colour change of medium. IMViC tests. Indole. Tryptophanase production/. Indole production from tryptophan. Cream to pink. Methyl Red. Mixed acid production from glucose.
design in a coherent fashion, bridging the current gap between requirements and hypermedia specifications; c) ... during requirements analysis, one should be able to exploring alternative solutions, before claiming to ..... Gause, D.C., Weinberg, G.M
The only limits you see are the ones you impose on yourself. Dr. Wayne Dyer
Idea Transcript
A FORENSIC WEB LOG ANALYSIS TOOL: TECHNIQUES AND IMPLEMENTATION
Ann Fry
A thesis in The Department of Concordia Institute for Information Systems Engineering
Presented in Partial Fulfillment of the Requirements For the Degree of Master of Information Systems Security Concordia University ´al, Que ´bec, Canada Montre
September 2011 c Ann Fry, 2011
Concordia University School of Graduate Studies
This is to certify that the thesis prepared By:
Ann Fry
Entitled:
A Forensic Web Log Analysis Tool: Techniques and Implementation
and submitted in partial fulfillment of the requirements for the degree of Master of Information Systems Security complies with the regulations of this University and meets the accepted standards with respect to originality and quality.
Signed by the final examining commitee:
Chair Dr. Benjamin Fung External Examiner Dr. Otmane Ait-Mohamed Examiner Dr. Amir Youssef Supervisor Dr. Mourad Debbabi
Approved
Dr. Mourad Debbabi Chair of Department or Graduate Program Director
20 Dr. Nabil Esmail, Dean Faculty of Engineering and Computer Science
Abstract A Forensic Web Log Analysis Tool: Techniques and Implementation Ann Fry
Methodologies presently in use to perform forensic analysis of web applications are decidedly lacking. Although the number of log analysis tools available is exceedingly large, most only employ simple statistical analysis or rudimentary search capabilities. More precisely these tools were not designed to be forensically capable. The threat of online assault, the ever growing reliance on the performance of necessary services conducted online, and the lack of efficient forensic methods in this area provide a background outlining the need for such a tool. The culmination of study emanating from this thesis not only presents a forensic log analysis framework, but also outlines an innovative methodology of analyzing log files based on a concept that uses regular expressions, and a variety of solutions to problems associated with existing tools. The implementation is designed to detect critical web application security flaws gleaned from event CONTENT="0;url=javascript:alert(’XSS’);"> Description:
This attack attempt borrowed from [334, 391], is detected by the grouping (?:;\W*url\s*=) in Regex4 . To provide an explanation of why this occurs, this group will match any string which contains a “;” followed by an indeterminate number of non-word characters, along with the keyword url=.
It is important to note here that the match will still succeed if there exists an arbitrary number
of whitespaces before the equal sign. is a tag used in both HTML/XHTML and usually resides in the head section of the page [307, 322]. The only operational dierence in usage of the tag between the languages is that the tag needs to be closed in XHTML, but not in HTML even though it provides similar functionality in both languages. In specific cases, this vulnerability may arise due to the fact that the tag is not closed. The tag provides the definition of meta, the current page will be automatically redirected to the specified location. Furthermore, if the content attribute is set to 0;url=javascript:alert(’XSS’);, the script is executed in the browser upon rendering.
98
This particular tag vulnerability applies to the browsers Firefox and Chrome. According to Mozilla Foundation Security Advisory (MFSA) 2009-22 [95], Mozilla has apparantly attempted to patch this vulnerability in Firefox. Currently the vulnerability allows refresh header to redirect to JS URIs. A way to bypass this redirection protection in Firefox is given in [285]. As such the payload of a successful attack script is encrypted using base64 [230] code as follows: