Barracuda Web application Firewall data leak proof combat case

Source: Internet
Author: User
Keywords Data center firewall Barracuda data center

Introduction

In an era when the Web attack has been automated, administrators cannot be lax about the security of the site. On the April 9, 2011, the Barracuda Web application firewall, which was placed in "passive mode" (which only monitors access to the site), detailed the entire process of hacking into a company's marketing database. Analysis shows that the attack is most likely to be those with no apparent criminal intent of the gray-hat hackers. This article will specifically explore how data leaks occur, what we have received, and how the Barracuda Web application firewall will block ongoing application layer attacks and prevent further damage.

The design of WEB applications ensures that data can transparently traverse the network firewall, so traditional four-tier network firewalls cannot detect and block seven-layer (application-level) attacks; However, many organizations are not fully aware that the four-tier security measures are not enough to meet current requirements, This makes these organizations vulnerable to attacks on a variety of applications.

Regardless of motivation, attacks on Web applications, especially SQL injection attacks, have proven to be the most effective way to penetrate the network and http://www.aliyun.com/zixun/aggregation/35433.html "> Steal Data:

· Web application attacks accounted for only 54% of all data disclosure events, but the stolen data accounted for 92%

· SQL injection attacks account for only 25% of Web application attacks, but the stolen data accounts for 89%

Data Disclosure Event description

The main reasons for this data leakage event are as follows:

1. There are errors in the PHP Code of the website

2. A code vulnerability scan that was supposed to be done regularly is ignored, resulting in a lack of timely discovery of PHP code problems

3. Site maintenance personnel did not open the Barracuda Web Application Firewall's security protection function

It is only a matter of time before the vulnerable code is protected. According to the records and reports of the Barracuda Web application firewall, the attack occurs as follows:

Data disclosure Event specific process

Through the Barracuda Web application firewall log, we confirm that illegal users use two clients to detect and attack the Web site:

Using the information that the Barracuda Web application firewall reports, we can quickly filter and find the corresponding record entry in the Web server log.

2011-04-10 03:19:17 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii ((Database ()), 13, 1) substring 20and%20 "x" = "x 80-87.1

2011-04-10 03:19:17 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:18 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii ((Database ()), 13, 1) substring 20and%20 "x" = "x 80-87.1

2011-04-10 03:19:18 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii ((Database ()), 13, 1) substring 20and%20 "x" = "x 80-87.1

2011-04-10 03:19:19 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:21 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:24 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:26 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:28 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:31 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:32 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:33 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:37 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:39 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:41 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:46 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:48 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:48 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:49 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:51 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:51 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:52 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:53 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:53 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:54 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:54 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:54 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:55 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:57 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:57 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:57 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii (substring 20schema_name%20from%

Note: The Web log uses Greenwich Mean Time (GMT), while the Web application firewall uses Pacific Daylight Savings (PDT)

  

12 Next Read full-text paging navigation 1. Barracuda Web application Firewall data anti-leak combat case [1]2. Barracuda Web Application Firewall data anti-leak combat case [2] (Author: Anonymous editor: Xu Jinyang)
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.