Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 58: Insufficient Logging and Monitoring

by | Jul 21, 2025 | 0 comments

Objective

Learn how Insufficient Logging and Monitoring can enable attackers to exploit web applications without detection. Understand how to enhance security by logging critical events, monitoring abnormal activity, and implementing intrusion detection systems (IDS).

Scenario

You are assessing a web application that logs only successful login attempts but fails to log failed login attempts or suspicious activities. An attacker can exploit this lack of monitoring by performing a brute-force attack without detection.

Lab Setup

Prerequisites:

  • Basic knowledge of PHP and server logs.
  • XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
  • Tools like Burp Suite or Hydra for brute-force testing.

Step 1: Create the Vulnerable Web Application

  1. PHP Script with Insufficient Logging
    • Create a file login.php: <?php $valid_username = 'admin'; $valid_password = 'password123'; if (isset($_POST['username']) && isset($_POST['password'])) { $username = $_POST['username']; $password = $_POST['password']; if ($username === $valid_username && $password === $valid_password) { file_put_contents('log.txt', date('Y-m-d H:i:s') . " - Successful login by: $username\n", FILE_APPEND); echo "<h2>Login Successful</h2>"; } else { echo "<h2>Invalid Credentials</h2>"; } } ?> <h2>Login</h2> <form method="POST" action=""> Username: <input type="text" name="username" required><br> Password: <input type="password" name="password" required><br> <button type="submit">Login</button> </form>
  2. Running the Application
    • Start the Apache server.
    • Place login.php in the web server’s root directory (htdocs for XAMPP).
    • Open http://localhost/login.php in your browser.

Exploitation Steps

Step 1: Performing a Brute Force Attack

  1. Use Burp Suite Intruder or Hydra to perform a brute-force attack: hydra -l admin -P passwords.txt http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid"
  2. Expected Result:
    • The attacker can attempt multiple passwords without detection since only successful logins are logged.

Step 2: Reviewing Logs

  1. Open the log.txt file.
  2. Expected Result:
    • Only successful logins are recorded, while failed attempts are not logged.

Solution and Prevention

Problem Analysis

  • The application fails to log failed login attempts and suspicious activities, allowing brute-force attacks to go undetected.

Fixing the Vulnerability

  1. Log Failed Login Attempts
    • Modify the login script to log failed attempts: if ($username === $valid_username && $password === $valid_password) { file_put_contents('log.txt', date('Y-m-d H:i:s') . " - Successful login by: $username\n", FILE_APPEND); echo "<h2>Login Successful</h2>"; } else { file_put_contents('log.txt', date('Y-m-d H:i:s') . " - Failed login attempt for: $username\n", FILE_APPEND); echo "<h2>Invalid Credentials</h2>"; }
  2. Implement Rate Limiting
    • Limit the number of login attempts to prevent brute-force attacks. session_start(); if (!isset($_SESSION['attempts'])) { $_SESSION['attempts'] = 0; } if ($_SESSION['attempts'] > 5) { die("Too many failed attempts. Try again later."); } if ($username === $valid_username && $password === $valid_password) { $_SESSION['attempts'] = 0; echo "<h2>Login Successful</h2>"; } else { $_SESSION['attempts']++; echo "<h2>Invalid Credentials</h2>"; }
  3. Use Intrusion Detection Systems (IDS)
    • Deploy tools like Fail2Ban or OSSEC to monitor logs and block suspicious IPs.
  4. Log Critical Events
    • Log other critical events (e.g., file uploads, permission changes, and access to sensitive areas).
  5. Centralized Logging and Monitoring
    • Implement centralized logging using tools like ELK Stack (Elasticsearch, Logstash, Kibana) or Splunk.

Testing After Fix

  1. Perform another brute-force attack.
  2. Expected Result:
    • Failed login attempts are logged, and excessive attempts are blocked.
  3. Review the log.txt file.
  4. Expected Result:
    • Both successful and failed login attempts are properly recorded.

Conclusion

In this lab, you exploited Insufficient Logging and Monitoring by performing a brute-force attack without being detected. You also learned how to mitigate this vulnerability by logging failed attempts, implementing rate limiting, and using intrusion detection systems (IDS).

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *