Introduction
In an era when the Web attack has been automated, administrators cannot be lax about the security of the site. On the April 9, 2011, the Barracuda Web application firewall, which was placed in "passive mode" (which only monitors access to the site), detailed the entire process of hacking into a company's marketing database. Analysis shows that the attack is most likely to be those with no apparent criminal intent of the gray-hat hackers. This article will specifically explore how data leaks occur, what we have received, and how the Barracuda Web application firewall will block ongoing application layer attacks and prevent further damage.
The design of WEB applications ensures that data can transparently traverse the network firewall, so traditional four-tier network firewalls cannot detect and block seven-layer (application-level) attacks; However, many organizations are not fully aware that the four-tier security measures are not enough to meet current requirements, This makes these organizations vulnerable to attacks on a variety of applications.
Regardless of motivation, attacks on Web applications, especially SQL injection attacks, have proven to be the most effective way to penetrate the network and http://www.aliyun.com/zixun/aggregation/35433.html "> Steal Data:
· Web application attacks accounted for only 54% of all data disclosure events, but the stolen data accounted for 92%
· SQL injection attacks account for only 25% of Web application attacks, but the stolen data accounts for 89%
Data Disclosure Event description
The main reasons for this data leakage event are as follows:
1. There are errors in the PHP Code of the website
2. A code vulnerability scan that was supposed to be done regularly is ignored, resulting in a lack of timely discovery of PHP code problems
3. Site maintenance personnel did not open the Barracuda Web Application Firewall's security protection function
It is only a matter of time before the vulnerable code is protected. According to the records and reports of the Barracuda Web application firewall, the attack occurs as follows:
Data disclosure Event specific process
Through the Barracuda Web application firewall log, we confirm that illegal users use two clients to detect and attack the Web site:
Using the information that the Barracuda Web application firewall reports, we can quickly filter and find the corresponding record entry in the Web server log.
2011-04-10 03:19:17 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii ((Database ()), 13, 1) substring 20and%20 "x" = "x 80-87.1
2011-04-10 03:19:17 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:18 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii ((Database ()), 13, 1) substring 20and%20 "x" = "x 80-87.1
2011-04-10 03:19:18 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii ((Database ()), 13, 1) substring 20and%20 "x" = "x 80-87.1
2011-04-10 03:19:19 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:21 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:24 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:26 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:28 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:31 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:32 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:33 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:37 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:39 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:41 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:46 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:48 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:48 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info
2011-04-10 03:19:49 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info
2011-04-10 03:19:51 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:51 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info
2011-04-10 03:19:52 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info
2011-04-10 03:19:53 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:53 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info
2011-04-10 03:19:54 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info
2011-04-10 03:19:54 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:54 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info
2011-04-10 03:19:55 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:57 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:57 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%
2011-04-10 03:19:57 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii (substring 20schema_name%20from%
Note: The Web log uses Greenwich Mean Time (GMT), while the Web application firewall uses Pacific Daylight Savings (PDT)
12 Next Read full-text paging navigation 1. Barracuda Web application Firewall data anti-leak combat case [1]2. Barracuda Web Application Firewall data anti-leak combat case [2] (Author: Anonymous editor: Xu Jinyang)