a forensic web log analysis tool: techniques and ... - CiteSeerX [PDF]

A FORENSIC WEB LOG ANALYSIS TOOL: TECHNIQUES AND IMPLEMENTATION

Ann Fry

A thesis in The Department of Concordia Institute for Information Systems Engineering

Presented in Partial Fulfillment of the Requirements For the Degree of Master of Information Systems Security Concordia University ´al, Que ´bec, Canada Montre

September 2011 c Ann Fry, 2011 

Concordia University School of Graduate Studies

This is to certify that the thesis prepared By:

Ann Fry

Entitled:

A Forensic Web Log Analysis Tool: Techniques and Implementation

and submitted in partial fulfillment of the requirements for the degree of Master of Information Systems Security complies with the regulations of this University and meets the accepted standards with respect to originality and quality.

Signed by the final examining commitee:

Chair Dr. Benjamin Fung External Examiner Dr. Otmane Ait-Mohamed Examiner Dr. Amir Youssef Supervisor Dr. Mourad Debbabi

Approved

Dr. Mourad Debbabi Chair of Department or Graduate Program Director

20 Dr. Nabil Esmail, Dean Faculty of Engineering and Computer Science

Abstract A Forensic Web Log Analysis Tool: Techniques and Implementation Ann Fry

Methodologies presently in use to perform forensic analysis of web applications are decidedly lacking. Although the number of log analysis tools available is exceedingly large, most only employ simple statistical analysis or rudimentary search capabilities. More precisely these tools were not designed to be forensically capable. The threat of online assault, the ever growing reliance on the performance of necessary services conducted online, and the lack of efficient forensic methods in this area provide a background outlining the need for such a tool. The culmination of study emanating from this thesis not only presents a forensic log analysis framework, but also outlines an innovative methodology of analyzing log files based on a concept that uses regular expressions, and a variety of solutions to problems associated with existing tools. The implementation is designed to detect critical web application security flaws gleaned from event CONTENT="0;url=javascript:alert(’XSS’);"> Description:

This attack attempt borrowed from [334, 391], is detected by the grouping (?:;\W*url\s*=) in Regex4 . To provide an explanation of why this occurs, this group will match any string which contains a “;” followed by an indeterminate number of non-word characters, along with the keyword url=.

It is important to note here that the match will still succeed if there exists an arbitrary number

of whitespaces before the equal sign. is a tag used in both HTML/XHTML and usually resides in the head section of the page [307, 322]. The only operational dierence in usage of the tag between the languages is that the tag needs to be closed in XHTML, but not in HTML even though it provides similar functionality in both languages. In specific cases, this vulnerability may arise due to the fact that the tag is not closed. The tag provides the definition of meta, the current page will be automatically redirected to the specified location. Furthermore, if the content attribute is set to 0;url=javascript:alert(’XSS’);, the script is executed in the browser upon rendering.

98

This particular tag vulnerability applies to the browsers Firefox and Chrome. According to Mozilla Foundation Security Advisory (MFSA) 2009-22 [95], Mozilla has apparantly attempted to patch this vulnerability in Firefox. Currently the vulnerability allows refresh header to redirect to JS URIs. A way to bypass this redirection protection in Firefox is given in [285]. As such the payload of a successful attack script is encrypted using base64 [230] code as follows: