Detecting SQL and XSS web application attacks
What version of TOR Browser did Amber install to obfuscate her web browsing? Answer guidance: Numeric with one or more delimiter.
index="botsv2" amber tor.exe
Look at the
process field. There is an event showing the
installation file name which has the version ID
What is the public IPv4 address of the server running www.brewertalk.com?
index="botsv2" sourcetype="stream:HTTP" "www.brewertalk.com"
Provide the IP address of the system used to run a web vulnerability scan against www.brewertalk.com.
Same query. Use the
src_ip field. It is the address making the most requests. Drill down into its
and some attempts at sql injection appear.
The IP address from Q#2 is also being used by a likely different piece of software to attack a URI path. What is the URI path? Answer guidance: Include the leading forward slash in your answer. Do not include the query string or other parts of the URI. Answer example:
Look at the URI path.
What SQL function is being abused on the URI path from the previous question?
form_data. There is an
What was the value of the cookie that Kevin’s browser transmitted to the malicious URL as part of an XSS attack? Answer guidance: All digits. Not the cookie name or symbols like an equal sign.
index="botsv2" kevin sourcetype="stream:HTTP" tag=error | table cookie
What brewertalk.com username was maliciously created by a spear phishing attack?
The attacker stole Kevin’s CSRF token (
1bc3eab741900ab25c98eee86bf20feb) and performed a trick from domain
squatters by using a homograph attack.
index="botsv2" 1bc3eab741900ab25c98eee86bf20feb sourcetype="stream:HTTP" brewertalk.com | table form_data