Barracuda Web application Firewall data leak proof combat case

Last Update:2014-12-23 Source: Internet

Author: User

Keywords Data center firewall Barracuda data center

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Introduction

In an era when the Web attack has been automated, administrators cannot be lax about the security of the site. On the April 9, 2011, the Barracuda Web application firewall, which was placed in "passive mode" (which only monitors access to the site), detailed the entire process of hacking into a company's marketing database. Analysis shows that the attack is most likely to be those with no apparent criminal intent of the gray-hat hackers. This article will specifically explore how data leaks occur, what we have received, and how the Barracuda Web application firewall will block ongoing application layer attacks and prevent further damage.

The design of WEB applications ensures that data can transparently traverse the network firewall, so traditional four-tier network firewalls cannot detect and block seven-layer (application-level) attacks; However, many organizations are not fully aware that the four-tier security measures are not enough to meet current requirements, This makes these organizations vulnerable to attacks on a variety of applications.

Regardless of motivation, attacks on Web applications, especially SQL injection attacks, have proven to be the most effective way to penetrate the network and http://www.aliyun.com/zixun/aggregation/35433.html "> Steal Data:

· Web application attacks accounted for only 54% of all data disclosure events, but the stolen data accounted for 92%

· SQL injection attacks account for only 25% of Web application attacks, but the stolen data accounts for 89%

Data Disclosure Event description

The main reasons for this data leakage event are as follows:

1. There are errors in the PHP Code of the website

2. A code vulnerability scan that was supposed to be done regularly is ignored, resulting in a lack of timely discovery of PHP code problems

3. Site maintenance personnel did not open the Barracuda Web Application Firewall's security protection function

It is only a matter of time before the vulnerable code is protected. According to the records and reports of the Barracuda Web application firewall, the attack occurs as follows:

Data disclosure Event specific process

Through the Barracuda Web application firewall log, we confirm that illegal users use two clients to detect and attack the Web site:

Using the information that the Barracuda Web application firewall reports, we can quickly filter and find the corresponding record entry in the Web server log.

2011-04-10 03:19:17 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii ((Database ()), 13, 1) substring 20and%20 "x" = "x 80-87.1

2011-04-10 03:19:17 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:18 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii ((Database ()), 13, 1) substring 20and%20 "x" = "x 80-87.1

2011-04-10 03:19:19 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:21 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:24 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:26 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:28 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:31 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:32 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:33 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:37 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:39 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:41 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:46 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:48 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:48 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:49 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:51 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:51 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:52 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:53 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:53 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:54 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:54 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:54 get/ns/customers/customer_verticals.php v=12 "%20and%20length (SELECT%20distinct%20schema_name %20from%20info

2011-04-10 03:19:55 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:57 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:57 get/ns/customers/customer_verticals.php v=11 "%20and%20ascii (substring 20schema_name%20from%

2011-04-10 03:19:57 get/ns/customers/customer_verticals.php v=12 "%20and%20ascii (substring 20schema_name%20from%

Note: The Web log uses Greenwich Mean Time (GMT), while the Web application firewall uses Pacific Daylight Savings (PDT)

12 Next Read full-text paging navigation 1. Barracuda Web application Firewall data anti-leak combat case [1]2. Barracuda Web Application Firewall data anti-leak combat case [2] (Author: Anonymous editor: Xu Jinyang)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More