Objective
Understand the impact of Insufficient Logging and Monitoring on application security and learn how to detect suspicious activity to prevent security breaches.
Scenario
You are assessing a web application that lacks proper logging and monitoring mechanisms. This oversight allows attackers to perform malicious actions such as brute-force login attempts and SQL injection without being detected. Your goal is to exploit this vulnerability and learn how to implement effective logging and monitoring practices.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and file handling.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script for Login Functionality (Without Logging)
Create a file login.php:
<?php
$users = ["alice" => "alice123", "bob" => "bob123"];
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($users[$username]) && $users[$username] === $password) {
echo "<h2>Welcome, $username!</h2>";
} else {
echo "<h2>Invalid Credentials!</h2>";
}
}
?>
<form method="POST" action="">
Username: <input type="text" name="username" required><br>
Password: <input type="password" name="password" required><br>
<button type="submit" name="login">Login</button>
</form>Running the Application
Start the Apache server.
Place login.php in the web server’s root directory (htdocs for XAMPP).
Open http://localhost/login.php in your browser.
Exploitation Steps
Step 1: Performing a Brute-Force Attack
- Automate login attempts using a script or tool like Burp Suite Intruder.
- Use a password list to attempt multiple logins for
alice.
Expected Result:
- No logs or alerts are generated for repeated failed login attempts.
Step 2: SQL Injection Attempt
Enter a payload into the username field:
' OR '1'='1Submit the form.
Expected Result:
- The injection attempt is not logged or detected.
Solution and Prevention
Problem Analysis
- The application does not log failed login attempts or detect suspicious activity.
Fixing the Vulnerability
Implement Logging for Critical Events
Add logging for failed logins:
<?php
function log_event($message) {
file_put_contents('logs/security.log', date('Y-m-d H:i:s') . " - " . $message . "\n", FILE_APPEND);
}
$users = ["alice" => "alice123", "bob" => "bob123"];
if (isset($_POST['login'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($users[$username]) && $users[$username] === $password) {
echo "<h2>Welcome, $username!</h2>";
} else {
log_event("Failed login attempt for user: $username");
echo "<h2>Invalid Credentials!</h2>";
}
}
?>Set Up Monitoring and Alerts
Use tools like OSSEC, Fail2Ban, or cloud monitoring services to detect and alert on suspicious activity.
Rate Limiting and Account Lockout
Implement rate limiting for login attempts to slow down brute-force attacks.
Log Critical Actions
Log events like password changes, privilege escalation, and failed access attempts.
Centralized Log Management
Use centralized log management solutions like ELK Stack (Elasticsearch, Logstash, Kibana) for better visibility.
Testing After Fix
- Perform multiple failed login attempts.
- Check
logs/security.logfor recorded failed attempts. - Expected Result:
- Failed logins are logged, and alerts are generated if integrated with monitoring tools.
Conclusion
In this lab, you exploited Insufficient Logging and Monitoring by performing attacks without being detected. You also learned how to mitigate this risk through proper logging, monitoring, and alerting of suspicious activities.
0 Comments