Configuration Guide Version 1 - IBM · protection domain. Protection Domains Uses a single protection domain called webapplicationsecurity{unique_group_id}. The webapplicationsecurity{unique_group_id}protection

$Page 1: Configuration Guide Version 1 - IBM · protection domain. Protection Domains Uses a single protection domain called webapplicationsecurity{unique_group_id}. The webapplicationsecurity{unique_group_id}protection$
IBM Proventia Web Application Security

Configuration GuideVersion 1.0

��

Copyright statement© Copyright IBM Corporation 2009, 2009.

U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract withIBM Corp.

Publication Date: July 2009

Trademarks and disclaimer

IBM® and the IBM logo are trademarks or registered trademarks of InternationalBusiness Machines Corporation in the United States, other countries, or both.ADDME™, Ahead of the threat, BlackICE™, Internet Scanner®, Proventia®,RealSecure®, SecurePartner™, SecurityFusion™, SiteProtector™, System Scanner™,Virtual Patch®, X-Force® and X-Press Update are trademarks or registeredtrademarks of Internet Security Systems™, Inc. in the United States, other countries,or both. Internet Security Systems, Inc. is a wholly-owned subsidiary ofInternational Business Machines Corporation.

Microsoft®, Windows®, and Windows NT® are trademarks of Microsoft Corporationin the United States, other countries, or both.

Other company, product and service names may be trademarks or service marks ofothers.

References in this publication to IBM products or services do not imply that IBMintends to make them available in all countries in which IBM operates.

Disclaimer: The information contained in this document may change withoutnotice, and may have been altered or changed if you have received it from asource other than IBM Internet Security Systems (IBM ISS). Use of this informationconstitutes acceptance for use in an “AS IS” condition, without warranties of anykind, and any use of this information is at the user’s own risk. IBM InternetSecurity Systems disclaims all warranties, either expressed or implied, includingthe warranties of merchantability and fitness for a particular purpose. In no eventshall IBM ISS be liable for any damages whatsoever, including direct, indirect,incidental, consequential or special damages, arising from the use or disseminationhereof, even if IBM Internet Security Systems has been advised of the possibility ofsuch damages. Some states do not allow the exclusion or limitation of liability forconsequential or incidental damages, so the foregoing limitation may not apply.

Reference herein to any specific commercial products, process, or service by tradename, trademark, manufacturer, or otherwise, does not necessarily constitute orimply its endorsement, recommendation, or favoring by IBM Internet SecuritySystems. The views and opinions of authors expressed herein do not necessarilystate or reflect those of IBM Internet Security Systems, and shall not be used foradvertising or product endorsement purposes.

Links and addresses to Internet resources are inspected thoroughly prior to release,but the ever-changing nature of the Internet prevents IBM Internet SecuritySystems, Inc. from guaranteeing the content or existence of the resource. Whenpossible, the reference contains alternate sites or keywords that could be used toacquire the information by other methods. If you find a broken or inappropriatelink, please send an email message with the topic name, link, and its behavior tomailto://[email protected].

© Copyright IBM Corp. 2009, 2009 iii

mailto://[email protected]

iv Proventia Web Application Security: Configuration Guide

Contents

Trademarks and disclaimer . . . . . . iii

Tables . . . . . . . . . . . . . . . vii

About this publication . . . . . . . . ix

Chapter 1. About Web applicationsecurity . . . . . . . . . . . . . . . 1Process overview . . . . . . . . . . . . . 2Supported agents and affected policies . . . . . 3Adding Web applications to a protection domain . . 5

Chapter 2. Web application securitycategories . . . . . . . . . . . . . . 7Authentication attacks . . . . . . . . . . . 8

Configuring responses to prevent Authenticationattacks . . . . . . . . . . . . . . . 10

Brute Force attacks . . . . . . . . . . . . 11Configuring responses to prevent Brute Forceattacks . . . . . . . . . . . . . . . 13

Buffer Overflow attacks . . . . . . . . . . 14Configuring responses to prevent BufferOverflow attacks . . . . . . . . . . . 19

Client-side attacks . . . . . . . . . . . . 20

Configuring responses and client protection toprevent Client-side attacks . . . . . . . . 24

Cross-site Request Forgery (CSRF) attacks . . . . 25Configuring responses and tuning parameters toprevent Cross-site Request Forgery attacks . . . 26

Directory Indexing attacks . . . . . . . . . 27Configuring responses to prevent DirectoryIndexing attacks . . . . . . . . . . . . 28

Information Disclosure attacks . . . . . . . . 29Configuring responses to prevent InformationDisclosure attacks . . . . . . . . . . . 35

Injection attacks . . . . . . . . . . . . . 36Configuring responses and tuning parameters toprevent Injection attacks . . . . . . . . . 50

Malicious File Execution attacks . . . . . . . 54Configuring responses and tuning parameters toprevent Malicious File Execution attacks. . . . 55

Miscellaneous attacks . . . . . . . . . . . 57Configuring responses to prevent Miscellaneousattacks . . . . . . . . . . . . . . . 62

Path Traversal attacks . . . . . . . . . . . 63Configuring responses to prevent Path Traversalattacks . . . . . . . . . . . . . . . 66

Index . . . . . . . . . . . . . . . 67

© Copyright IBM Corp. 2009, 2009 v

vi Proventia Web Application Security: Configuration Guide

Tables

1. Proventia GX Network IPS policies affected bysettings enabled in the wizard. . . . . . . 4

2. Authentication attacks . . . . . . . . . 83. Authentication signatures . . . . . . . . 84. Brute Force attacks . . . . . . . . . . 115. Brute Force signatures . . . . . . . . . 126. Buffer Overflow signatures . . . . . . . 147. Client-side Attacks . . . . . . . . . . 208. Client-side Attack signatures . . . . . . . 209. Cross-site Request Forgery signatures . . . . 25

10. Directory Indexing signatures . . . . . . 2811. Information Disclosure attacks . . . . . . 2912. Information Disclosure signatures . . . . . 2913. Injection attacks . . . . . . . . . . . 3614. Injection Attack signatures . . . . . . . 3715. Malicious File Execution signatures . . . . 5416. Miscellaneous attacks . . . . . . . . . 5717. Miscellaneous Attack signatures. . . . . . 5718. Path Traversal signatures . . . . . . . . 63

© Copyright IBM Corp. 2009, 2009 vii

viii Proventia Web Application Security: Configuration Guide

About this publication

This section describes the audience for this guide and provides additional referenceinformation.

Audience

Users of this guide should have a working knowledge of managing Webapplications and using the IBM SiteProtector System and Console.

More information on Web application protection

The following sites and publications provide more information on protecting Webapplications:

Web Application Security Consortium Classes of Attack(http://www.webappsec.org/projects/threat/classes_of_attack.shtml)

OWASP Top Ten Project(http://www.owasp.org/index.php/Top_10_2007)

IBM Security Solutions site(http://www.ibm.com/services/us/index.wss/offerfamily/iss/a1029065)

IBM Rational® AppScan® Services (PDF format)(http://www.ibm.com/common/ssi/rep_ca/2/897/ENUS208-322/ENUS208-322.PDF)

© Copyright IBM Corp. 2009, 2009 ix

http://www.webappsec.org/projects/threat/classes_of_attack.shtml

http://www.owasp.org/index.php/Top_10_2007

http://www.ibm.com/services/us/index.wss/offerfamily/iss/a1029065

http://www.ibm.com/common/ssi/rep_ca/2/897/ENUS208-322/ENUS208-322.PDF

http://www.ibm.com/common/ssi/rep_ca/2/897/ENUS208-322/ENUS208-322.PDF

x Proventia Web Application Security: Configuration Guide

Chapter 1. About Web application security

This chapter explains how the Web Application Security wizard works and theagents that it supports.

Topics

“Process overview” on page 2

“Supported agents and affected policies” on page 3

“Adding Web applications to a protection domain” on page 5

© Copyright IBM Corp. 2009, 2009 1

Process overviewThe signatures and tuning parameters that you enable in the Web ApplicationSecurity wizard affect Proventia agents and agent policies already deployed inSiteProtector.

Setting up the webapplicationsecurity protection domain

You use this wizard to set up a protection domain that includes the group ofnetwork devices (Web applications) that you want to protect against Webapplication security attacks. The network devices form a single protection domaincalled webapplicationsecurity.

The webapplicationsecurity protection domain allows you to monitor groups ofnetwork devices from different network segments using signatures and tuningparameters that you enable in this wizard. You can set up as manywebapplicationsecurity protection domains as needed.

Using the wizard for Proventia GX Network IPS agents

Note: When you invoke the Web Application Security wizard on a SiteProtectorgroup, you will receive the following message: “No wizards for which you havepermissions are available.” This message means that you cannot use the wizard atgroup level, not that you need to configure permissions in order to use the wizard.

The wizard follows this process when you enable Web Application Securitysignatures and tuning parameters for a Proventia GX Network IPS agent inSiteProtector:1. The wizard attempts to locate an active, deployed Security Events policy version

for the selected agent.2. After the wizard locates an active Security Events policy, the Policy Editor for

the Web Application Security wizard is displayed on the screen and you canactivate signatures and tuning parameters in the wizard for the selected agent.

3. The signatures and tuning parameters that you enable in the wizard affect thefollowing Proventia GX Network IPS policies:

Policy Outcome

Security Events policy Updated with settings enabled in the wizardand deployed to the selected agent (even ifthe policy was inherited previously from aparent group).

Protection Domains Shared Object policy Saved as a new version in the PolicyRepository each time you use settings in thewizard that update it.

Global Tuning Parameters Shared Objectpolicy

Saved as a new version in the PolicyRepository each time you use settings in thewizard that update it.

Reference: See “Supported agents and affected policies” on page 3 for moreinformation about how the wizard interacts with Proventia GX Network IPSagents and agent policies.

2 Proventia Web Application Security: Configuration Guide

Proventia GX Network IPS firmware versions 1.4 through 1.7 use differentschema versions of the Security Events policy and the Protection DomainsShared Object policy than Proventia GX Network IPS firmware versions 2.0through 3.0.When you invoke the wizard for an agent, only the Security Events policy andthe Protection Domains Shared Objects policy relevant to that agent version areaffected by the settings you enable in the wizard.

4. The wizard saves the policy data as a hidden policy for the selected agent, andthen deploys this policy along with the modified version of the Security Eventspolicy.The wizard also saves the settings from the last version of the policy data youedited in the wizard Policy Editor. You can either view or use the settings thatyou previously saved, the next time you open the wizard from SiteProtector.

Attention: If you disable (uncheck) a category that was previously saved in thewizard, this change will uninstall or remove tuning parameters and WebApplication Security checks that you previously enabled in the wizard.

Note: This feature is not available for Locally Configured Agents inSiteProtector 2.0, Service Pack 7.0.

Supported agents and affected policiesThe Web Application Security wizard supports the following agent firmwareversions and will update or overwrite settings already configured in the agentpolicies when you enable the protection settings in the wizard for that specific typeof agent.

Proventia GX Network IPS agents

The protection settings in the wizard affect the following firmware versions forProventia GX Network IPS agents:v 3.0v 2.3v 2.2v 2.1v 2.0v 1.7v 1.6v 1.5v 1.4

Proventia GX Network IPS agent policies

The protection settings you enable in the wizard affect the following Proventia GXNetwork IPS policies:

Chapter 1. About Web application security 3

Table 1. Proventia GX Network IPS policies affected by settings enabled in the wizard

Policy Interaction

Security Events Receives a securityEvent for each signature or tuning parameterthat is a member of an enabled protection category in thewizard.

Sets the virtualSensor attributewebapplicationsecurity{unique_group_id} for each securityevent added by the wizard to indicate that the security event isenabled in the webapplicationsecurity{unique_group_id}protection domain.

If the Enable Client Protection option is enabled in theClient-side attacks category, then any Web Application Securitysignature tagged to protect clients is enabled in the globalprotection domain.

If the Enable Client Protection option is disabled, but theClient-side attacks category is enabled, then any WebApplication Security signature tagged to protect clients isremoved from the global protection domain.

If the Enable Client Protection option is enabled, but theClient-side attacks category is disabled, then any WebApplication Security signature tagged to protect clients isremoved from the global protection domain.

If both the Enable Client Protection option and the Client-sideattacks category are disabled, then any Web Application Securitysignature tagged to protect clients is not affected in the globalprotection domain.

Protection Domains Uses a single protection domain calledwebapplicationsecurity{unique_group_id}.

The webapplicationsecurity{unique_group_id} protectiondomain contains the list of network devices that you set up inthe wizard. A protection domain is added each time you run thewizard on an agent.

Global TuningParameters

Updates global tuning parameters with the values of anyAdvanced Options you have set in the wizard.

Runs any tuning parameters that you added after it has runexisting tuning parameters.

Sets the Description attribute for the parameter to Inserted byWeb Application Security to easily identify the parameters thatyou added from the wizard to the Global Tuning Parameterspolicy.

Sensor Properties Updates properties for the sensor.


Adding Web applications to a protection domainYou need to set up a protection domain that includes the group of network devices(Web applications) that you want to protect against Web application securityattacks.

Before you begin

You must have the following permissions before you can enable protection settingsin this wizard:v Deploy Policy Permission for the agent you have selected, or permission for the

agent policy subscription groupv Network IPS (Proventia GX) Policy Modify Permission for the agent you have

selected, or permission for the agent policy subscription group

About this task

The network devices that you add to the protection list form a single protectiondomain called webapplicationsecurity.

You use the webapplicationsecurity protection domain when you want to monitorgroups of network devices from different network segments using signatures andtuning parameters that you enable in the wizard. You can set up as manywebapplicationsecurity protection domains as needed.

The settings enabled for the webapplicationsecurity protection domain instructthe Proventia GX Network IPS appliance on what properties signal a security eventand how to respond if the event occurs against the devices in the domain.

Procedure1. Click Protection Setup → Web Applications to Protect in the navigation pane.2. Click Add.3. Type the network address for a Web application using any of the following

options:v Single IP addressv Range of IP addresses

Example: 128.8.27.18–128.8.27.25v CIDR-compliant address

Example: 128.8.27.18/16, where suffix /16 indicates the number of bits in theprefix 128.8.27.18

4. Click OK to save your settings.5. Repeat Step 2 through Step 4 to add more applications to the list.

The network devices you add to this list form a single protection domain calledwebapplicationsecurity. This configuration is written to the ProtectionDomains Shared Object policy for the Proventia GX Network IPS agent.

Chapter 1. About Web application security 5


Chapter 2. Web application security categories

This chapter explains how to enable protection signatures and configure tuningparameters that protect your Web applications from well-known Web applicationsecurity attacks.

Before you begin: You must have the following permissions before you can enableprotection settings in the wizard:v Deploy Policy Permission for the agent you have selected, or permission for the

agent policy subscription groupv Network IPS (Proventia GX) Policy Modify Permission for the agent you have

selected, or permission for the agent policy subscription group

Topics

“Authentication attacks” on page 8

“Brute Force attacks” on page 11

“Buffer Overflow attacks” on page 14

“Client-side attacks” on page 20

“Cross-site Request Forgery (CSRF) attacks” on page 25

“Directory Indexing attacks” on page 27

“Information Disclosure attacks” on page 29

“Injection attacks” on page 36

“Malicious File Execution attacks” on page 54

“Miscellaneous attacks” on page 57

“Path Traversal attacks” on page 63


Authentication attacksThis type of attack targets and attempts to exploit the authentication process a Website uses to verify the identity of a user, service, or application.

Types of Authentication attacks

The following types of attacks are considered Authentication attacks:

Table 2. Authentication attacks

Attack types Attack description

Brute Force Allows an attacker to guess a person’s user name, password,credit card number, or cryptographic key by using an automatedprocess of trial and error.

InsufficientAuthentication

Allows an attacker to access a Web site containing sensitivecontent or functions without having to properly authenticate withthe Web site.

Weak PasswordRecovery Validation

Allows an attacker to access a Web site that provides them withthe ability to illegally obtain, change, or recover another user’spassword.

Signatures triggered by this attack

The Web Application Security signatures triggered by Authentication attacksinclude:

Table 3. Authentication signatures

Signature name and description

HTTP_Auth_ContainsBinary

Looks for an HTTP authentication that contains binary data.

More information:

IBM X-Force: Netscape Enterprise and Fasttrack authentication buffer overflow(http://www.iss.net/security_center/static/20556.php)

HTTP_Auth_TooLong

Detects an HTTP authorization string that is longer than the system-configurable value formaximum HTTP authorization length.

This signature replaces HTTP_NS_Admin_Overflow.

More information:

IBM X-Force: Netscape Enterprise and Fasttrack authentication buffer overflow(http://www.iss.net/security_center/static/3586.php)

CVE-1999-0853 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0853)


http://www.iss.net/security_center/static/20556.php


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0853

Table 3. Authentication signatures (continued)


HTTP_Authentication

Detects HTTP Basic authentication to a Web server and logs the user names andpasswords.Note: This security event is categorized as an audit event. It does not necessarily indicatean attack or threat on your network.

More information:

IBM X-Force: HTTP authentication (http://www.iss.net/security_center/static/653.php)

HTTP_Authentication_Format_String

Detects HTTP Basic authentication format string attack in user names and passwords.

More information:

IBM X-Force: Apache auth_ldap module multiple format strings (http://www.iss.net/security_center/static/24030.php)


HTTP_IIS_Hit_Highlighting_Auth_Bypass

Looks for attempts to bypass security restrictions using a vulnerability in the Microsoft IISserver hit-highlighting functions.

More information:

IBM X-Force: Microsoft IIS Hit-highlighting security bypass (http://www.iss.net/security_center/static/34434.php)


HTTP_Login_Known_User

Detects the login name and matches it with user-defined logins for well-known loginnames.

More information:

IBM X-Force: HTTP known user login name (http://www.iss.net/security_center/static/8090.php)

HTTPS_ClearText_Session

Detects a valid HTTP request and response on port 443 that is not encrypted.

More information:

IBM X-Force: Unencrypted HTTP traffic over SSL has been detected (http://www.iss.net/security_center/static/22070.php)

Chapter 2. Web application security categories 9












Configuring responses to prevent Authentication attacksUse this procedure to configure responses for signatures that are triggered by WebApplication Security after it has detected an Authentication attack on networktraffic.

Procedure1. Click Protection Categories → Authentication in the navigation pane.2. Set a response for the attack triggered by the Authentication protection

category:

If you want to... Then...

Display the security event on theSiteProtector Console

Select the Display check box.

The security event is displayed in theAnalysis view on the SiteProtector Consolefor the agent when it is detected by the WebApplication Security signatures.Note: Look for security events tagged withwebapplicationsecurity.

Block the attack Important: IBM X-Force recommends thatyou disable blocking for Authenticationattacks, because you could unintentionallyblock legitimate connections.

Select the Block check box.

The attack is blocked by dropping allpackets on the connection that triggered thesecurity event.

Tip: You should run the Web Application Security wizard a couple of timeswith only the Display response enabled so that you can determine which Webapplications pose the greatest security threat to your network.


Brute Force attacksThis type of attack uses a repetitive method of trial and error in order to guess aperson’s user name, password, credit card number, or cryptographic key.

About this attack

An attacker could launch a brute force attack by trying to guess the user ID andpassword for a valid user account on the Web application. If the brute forceattempt is successful, the attacker might be able to access:v Confidential information, such as profile data for users or confidential

documents stored on the Web applicationv Administration tools used by the System Administrator for the Web application

to manage (modify, delete, add) Web application content, manage userprovisioning, or to assign different privileges to users

v Sections of the Web application that might expose vulnerabilities or advancedfunctions not available to non-Administrator users

Types of brute force attacks

An attacker might try the following attack methods to find out valid authenticationcredentials for a Web application:

Table 4. Brute Force attacks

Attack type Attack description

Dictionary attacks Automated tools that try to guess user names and passwords froma dictionary file.

A dictionary file might contain words gathered by the attacker tounderstand the user of the account about to be attacked, or to builda list of all the unique words available on the Web site.

Search attacks Covers all possible combinations of a character set and ranges ofpassword length.

This attack might take some time because of the large amount ofpossible combinations.

Rule-based searchattacks

Uses rules to generate possible password variations from part of auser name or from modifying pre-configured mask words in theinput.



The Web Application Security signatures triggered by Brute Force attacks include:

Table 5. Brute Force signatures


HTTP_Forced_Browsing_Probe

Detects repeated attempts to access non-existent resources on a Web server.

This could indicate an attack attempt related to the general problem of Forced Browsing,where an attacker uses brute force methods to search for unlinked contents in the domaindirectory, such as temporary directories and files, and old backup and configuration files.

These files and directories could contain sensitive information about Web applications andoperational systems, such as source code, authentication credentials, internal networkaddressing, or any other type of valuable information that could allow an attack of thesystem.

More information:

IBM X-Force: Web application forced browsing probe detectedhttp://www.iss.net/security_center/static/48208.php

CWE-425 http://cwe.mitre.org/data/definitions/425.html

HTTP_Hydra_BruteForce

Detects Nessus Hydra plug-in using brute force techniques.

More information:

IBM X-Force: Nessus Hydra plugin brute force detected (http://www.iss.net/security_center/static/22769.php)




http://cwe.mitre.org/data/definitions/425.html



Configuring responses to prevent Brute Force attacksUse this procedure to configure responses for signatures that are triggered by WebApplication Security after it has detected a Brute Force attack on network traffic.

Procedure1. Click Protection Categories → Brute Force in the navigation pane.2. Set a response for the attack triggered by the Brute Force protection category:





Block the attack Select the Block check box.


Tip: Before you start blocking traffic, you should run the Web ApplicationSecurity wizard a couple of times with only the Display response enabled sothat you can determine which Web applications pose the greatest securitythreat to your network.


Buffer Overflow attacksThis type of attack overflows a buffer with excessive data, which allows anattacker to run remote shell on the computer and gain the same system privilegesgranted to the application being attacked.

About this attack

An attacker can use buffer overflow attacks to corrupt the execution stack of a Webapplication. The attacker sends carefully crafted input to a Web application inorder to force the Web application to execute arbitrary code that allows theattacker to take over the system being attacked.

Web servers or Web applications that manage the static and dynamic aspects of asite, or use graphic libraries to generate images, are vulnerable to buffer overflowattacks. Buffer overflow attacks cause system crashes, might place a system in aninfinite loop, or execute code on the system in order to bypass a security service.


The Web Application Security signatures triggered by Buffer Overflow attacksinclude:

Table 6. Buffer Overflow signatures


HTTP_Accept_Language_Overflow

Detects an overflow in the HTTP ACCEPT field.

pam.http.maxaccept: Maximum length of an HTTP accept field.Type= numberDefault value= 1600Minimum value= 1Maximum value= 4294967295

More information:

IBM X-Force: Netscape Enterprise Server contains a buffer overflow in its handling ofAccept headers (http://xforce.iss.net/xforce/xfdb/3256)


HTTP_Apache_DOS

Detects an HTTP URL request containing a large number of slashes /, which might indicatean attempt by an attacker to increase the load average on an Apache httpd server.

More information:

IBM X-Force: Apache HTTP server beck exploit (http://www.iss.net/security_center/static/697.php)



http://xforce.iss.net/xforce/xfdb/3256





Table 6. Buffer Overflow signatures (continued)


HTTP_Apache_Header_Memory_DoS

Detects an attempt to DoS a vulnerable apache HTTP server using a request with carefullycrafted HTTP headers.

pam.http.header.contspace.limit: Maximum space beginning HTTP header continuation.Type= numberDefault value= 100Minimum value= 0Maximum value= 4294967295

More information:

IBM X-Force: Apache HTTP Server HTTP GET request denial of service(http://www.iss.net/security_center/static/17930.php)


HTTP_Apache_JK2_Host_Overflow

Detects an attack against Apache Web servers that support Jakarta Tomcat Connectors(mod_jk2).

More information:

IBM X-Force: Apache mod_jk2 HTTP Host header buffer overflow (http://www.iss.net/security_center/static/40614.php)


HTTP_Apache_LF_Memory_DoS

Detects an attempt to DoS a vulnerable apache HTTP server using a request containingnumerous line feed characters.

More information:

IBM X-Force: Apache HTTP Server LF (Line Feed) denial of service (http://www.iss.net/security_center/static/11695.php)


HTTP_IIS_Tilde_DoS

Detects HTTP URLs that contain a ~ (tilde) followed by a digit.Known false positives: Any request to a vulnerable server for a URL that contains ~#,where # is any digit, will cause this signature to trigger. Servers are assumed vulnerableuntil there is evidence that they are not vulnerable.Known false negatives: IBM X-Force believes it to be highly unlikely, although remotelypossible, that this vulnerability can be entirely exploited from the Internet. In such a case,accurate detection and association of the setup before seeing the pattern associated withthis event is not possible.

More information:

IBM X-Force: Microsoft Internet Information Services URL parser buffer overflow(http://www.iss.net/security_center/static/35197.php)















HTTP_LDAP_Mod_Rewrite_BO

Checks for an off-by-one buffer overflow in the LDAP scheme handling function.

More information:

IBM X-Force: Apache mod_rewrite off-by-one buffer overflow (http://www.iss.net/security_center/static/28063.php)


HTTP_Lighttpd_Header_Overflow

Detects HTTP requests that contain long header data that might allow a remote attacker toexecute arbitrary code on the victim’s system by overflowing a buffer in the mod_fastcgiextension of the Lighttpd server.

pam.http.lighttpd.hdr.limit: Sets the maximum HTTP header size before theHTTP_Lighttpd_Header_Overflow signature is reported.Type= numberDefault value= 0x0000f000Minimum value= 0x200Maximum value= 0x7fffffff

More information:

IBM X-Force: lighttpd mod_fastcgi code execution (http://www.iss.net/security_center/static/36526.php)


HTTP_Netscape_Revlog

Detects an HTTP REVLOG request, which might indicate an attacker’s attempt to crash orotherwise disrupt the service of a Netscape Enterprise Web server.

More information:

IBM X-Force: Netscape Enterprise Server REVLOG denial of service (http://www.iss.net/security_center/static/6003.php)


HTTP_Oracle2_BO

Detects attempts to overflow a buffer within Oracle Application Server by sending largeURL parameters in GET requests to default AS ports.

More information:

IBM X-Force: Oracle Application Server emagent.exe buffer overflow (http://www.iss.net/security_center/static/22819.php)















HTTP_PHPNuke_ModulesPhp_DOS

Detects an HTTP URL that contains the string */modules.php and that also has a querystring that begins with op=modload&name=../&file=modules.

More information:

IBM X-Force: PHP-Nuke modules.php remote denial of service (http://www.iss.net/security_center/static/6946.php)

HTTP_PHPNuke_Prefix_Admin

Detects an HTTP URL that contains the string */*.php and that also has a query string thatbegins with prefix=*.

More information:

IBM X-Force: PHP-Nuke $prefix variable could allow a remote attacker to gainadministrative access (http://www.iss.net/security_center/static/6945.php)


HTTP_PHPNuke_Index_File

Detects an HTTP URL that contains the string */*.php and that also has an argument thatbegins with file=http:.

More information:

IBM X-Force: PHP-Nuke index.php allows remote attackers to execute arbitrary commandsfrom an included file (http://www.iss.net/security_center/static/7914.php)


HTTP_POST_repeated_char

Detects HTTP POST data that contains a repeated character. This might indicate anattacker’s attempt to overflow a buffer and execute arbitrary code.

More information:

IBM X-Force: HTTP POST contains repeated characters (http://www.iss.net/security_center/static/8538.php)

HTTP_Tomcat_URI_Overflow

Detects a URI of at least 4096 characters in an HTTP request that might be going to aTomcat server.

More information:

IBM X-Force: Apache Tomcat JK Web Server Connector map_uri_to_worker() bufferoverflow (http://www.iss.net/security_center/static/32794.php)















HTTP_URL_repeated_char

Detects URLs that have a large number of consecutive, identical characters. Such sequencescan indicate an attacker’s attempt to overflow a buffer.

pam.name.maxrepeatedchar: Maximum repeated character for a number of events.Type= numberDefault value= 100Minimum value= 2Maximum value= 2147483647

More information:

IBM X-Force: HTTP URL contains repeated characters (http://www.iss.net/security_center/static/8537.php)

HTTP_WebDAV_Long_Rqst_DOS

Detects a specific HTTP URL.

This signature looks for an HTTP WebDAV method PROPFIND or SEARCH with acontent-type of ’text/xml’ and a content-length of greater than 48000 bytes.

This signature replaces HTTP_WebDAV_Overflow.

More information:

IBM X-Force: Microsoft IIS WebDAV long invalid request denial of service(http://www.iss.net/security_center/static/6982.php)


HTTP_WebDAV_XML_Attribute_DoS

Detects a WebDav command with an unusually large number of XML attributes. Thismight indicate an attempt to cause a denial of service on some IIS Web servers.

More information:

IBM X-Force: Microsoft Internet Information Server WebDAV multiple attributes per XMLelements cause denial of service (http://www.iss.net/security_center/static/17645.php)









Configuring responses to prevent Buffer Overflow attacksUse this procedure to configure responses for signatures that are triggered by WebApplication Security after it has detected a Buffer Overflow attack on networktraffic.

Procedure1. Click Protection Categories → Buffer Overflow in the navigation pane.2. Set a response for the attack triggered by the Buffer Overflow protection

category:









Client-side attacksThis type of attack exploits the trust relationship between a user and the Web sitesthey visit.

Types of Client-side attacks

The following types of attacks are considered Client-side attacks:

Table 7. Client-side Attacks


Content Spoofing Tricks a user into believing that certain content appearing on a Website is legitimate and not from an external source.

Cross-Site Scripting(XSS)

Allows an attacker to execute scripts in the victim’s Web browser,which can be used to intercept user sessions, deface Web sites,insert hostile content, conduct phishing attacks, and take over theuser’s browser using scripting malware.

All Web application frameworks are vulnerable to this exploit. Theexploit typically uses HTML or JavaScript™, but any scriptinglanguage, including VBScript, ActiveX, Java™, or Flash, supportedby the victim’s browser is a potential target for this attack.

The types of Cross-site Scripting attacks include:

v Non-persistent: Requires a user to visit a specially-crafted linkcontaining malicious code. When the user accesses the link, thecode embedded in the URL is executed within the user’s Webbrowser.

v Persistent: Inflicts malicious code on a Web site where it’s storedfor a period of time. Typical targets of persistent cross-sitescripting for an attacker include message board posts, Web mailmessages, and Web chat software.


The Web Application Security signatures triggered by Client-side attacks include:

Table 8. Client-side Attack signatures


Cross_Site_Scripting

Detects well known forms of the <SCRIPT> tag in URL or CGI data.

This signature replaces HTTP_GETargscript, HTTP_POST_Script, andHTTP_Cross_Site_Scripting events.

More information:

IBM X-Force: HTTP cross-site scripting attempt detected (http://www.iss.net/security_center/static/6784.php)




Table 8. Client-side Attack signatures (continued)


HTTP_Apache_Expect_XSS

Detects a specially-crafted Expect header that might be used to embed a malicious scriptand be executed in the victim’s Web browser.

More information:

IBM X-Force: Apache and IBM HTTP Server Expect header cross-site scripting(http://www.iss.net/security_center/static/28620.php)


HTTP_Apache_OnError_XSS

Detects cross-site scripting attempts to older versions of Apache Web servers. In such cases,the Apache ONERROR/404 redirect must be enabled and specially configured for thecross-site scripting attempt to work.

More information:

IBM X-Force: Apache HTTP Server Host: header cross-site scripting (http://www.iss.net/security_center/static/10241.php)

HTTP_Cross_Site_Scripting

Detects HTTP URLs that contain the strings <script> or </script>.

More information:

IBM X-Force: Microsoft IIS Cross-Site Scripting (http://www.iss.net/security_center/static/5156.php)

CVE-2000-1104 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1104)CVE-2005-2379 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2379)CVE-2006-0032 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0032)

HTTP_GETargscript

Detects an HTTP GET request that contains JavaScript code. Because of the unusual natureof this exploit, this signature cannot report the true intruder.

During this exploit, the victim communicates with an HTTP server that the intruder haschosen. However, this HTTP server is a ″means to an end″ and plays no role in the actualattack.

The damage is done when Internet Explorer saves the JavaScript in its cache (index.dat)while processing the request. The real intruder is likely indicated by other events reportedcorresponding with this one.

More information:

IBM X-Force: Microsoft Internet Explorer 5.5 index.dat file can be used to remotely executecode (http://www.iss.net/security_center/static/5566.php)
















HTTP_Html_In_Ref

Detects an HTTP REFERER field that contains HTML tags, which might indicate across-site scripting attack.

More information:

IBM X-Force: HTTP Referer Header tag detected (http://www.iss.net/security_center/static/17810.php)

HTTP_HTML_Tag_Injection

Detects well known HTML tag injection attacks and probing activity.

This signature does not necessarily indicate an attack, however, many scripting attackshave been used in conjunction with various HTML tags that this signature will trigger on,such as TABLE, TD, or META.

More information:

IBM X-Force: HTTP HTML tag injection attempt detected (http://www.iss.net/security_center/static/7291.php)

HTTP_IFRAME_Tag_Injection

Detects an HTML <IFRAME> tag injection attempt.

This signature does not necessarily indicate an attack, however, many successful scriptingand browser hijacking attacks have been used in conjunction with IFRAME tag injections.

More information:

IBM X-Force: HTTP IFRAME tag injection attempt detected (http://www.iss.net/security_center/static/43713.php)

HTTP_MCMS_CrossSiteScripting

Detects a specially-crafted HTTP URL that can cause a client-side script to be injected intothe user’s browser.

More information:

IBM X-Force: Microsoft Content Management Server (MCMS) HTTP request cross-sitescripting (http://www.iss.net/security_center/static/32737.php)


HTTP_MSIS_Script

Checks argument data for cross-site scripting in the Microsoft Indexing Services.

More information:

IBM X-Force: Microsoft IIS .htw cross scripting (http://www.iss.net/security_center/static/5441.php)
















HTTP_Nfuse_Script

Checks for a specially-crafted URL containing launch.asp or launch.jsp.

More information:

IBM X-Force: Citrix NFuse launch.* cross-site scripting (http://www.iss.net/security_center/static/8659.php)


HTTP_POST_Script

Detects if an HTTP POST command contains a <script> tag.

More information:

IBM X-Force: HTTP POST contains malicious script (http://www.iss.net/security_center/static/8539.php)

HTTP_Share_Point_XSS

Detects an URL ending in .aspx, followed by the string /″);}.

More information:

IBM X-Force: Microsoft SharePoint Server default.aspx PATH_INFO cross-site scripting(http://www.iss.net/security_center/static/34343.php)










Configuring responses and client protection to preventClient-side attacks

Use this procedure to configure responses for signatures that are triggered by WebApplication Security after it has detected a Client-side attack on network traffic.

Procedure1. Click Protection Categories → Client-side Attacks in the navigation pane.2. Set a response for the attack triggered by the Client-side Attacks protection

category:








3. To add IP addresses, domains, or parameters that are always allowed and notblocked by the Web Application Security signatures, click Add in the ParameterNames to Ignore for Protection section.

4. Type an entry as in the following examples: 128.8.27.18 or ibm.com or iss.netor pam.example.parameter

Note: The engine appends a number at the end of an entry if it has been usedbefore as an entry in local tuning parameters or global tuning parameters.

Example: pam.injection.param.ignore.2110173[2]

5. Optional: Type a unique description for the entry.6. Select Enable Client Protection to make sure that any Web Application Security

signature you have set up to protect clients is included in the global protectiondomain for the Proventia GX Network IPS agent.

Note: The global protection domain includes all the security events that arelisted in the global security policy used by the Proventia GX Network IPSagent.


Cross-site Request Forgery (CSRF) attacksThis type of attack sends unauthorized commands from a user that a Web sitetrusts.

About this attack

This attack contains a link or script in a page that accesses a Web site that the useris known to have authenticated.

These types of attacks have the following common characteristics:v Involves Web sites that rely on a user’s identityv Exploits the trust of the Web site in that identityv Tricks the user’s Web browser into sending HTTP requests to a target sitev Involves HTTP requests that have adverse affects

This attack is also known as a blind attack; the attacker cannot see what the targetWeb site sends back to the victim in response to the forged requests, unless theattacker is using cross-site scripting or other bugs at the target Web site.


The Web Application Security signatures triggered by Cross-site Request Forgeryattacks include:

Table 9. Cross-site Request Forgery signatures


HTTP_AuthResponse_Possible_CSRF

Detects a Cross-site Request Forgery attempt. (Also known as CSRF or XSRF attempts)

This attack allows an attacker to send unauthorized commands to a Web server or Webapplication from a user that the server or application trusts. This type of attack usuallyrequires the attacker to perform some type of social engineering in order to gain the trustof the Web server or application.

More information:

IBM X-Force: HTTP Cross-Site Request Forgery attempt detectedhttp://www.iss.net/security_center/static/48675.php




Configuring responses and tuning parameters to preventCross-site Request Forgery attacks

Use this procedure to configure responses and tuning parameters for signaturesthat are triggered by Web Application Security after it has detected a Cross-siteRequest Forgery attack on network traffic.

Procedure1. Click Protection Categories → Cross-site Request Forgery in the navigation

pane.2. Set a response for the attack triggered by the Cross-site Request Forgery

protection category:





Block the attack Important: IBM X-Force recommends thatyou disable blocking for CSRF attacks,because you could unintentionally blocklegitimate connections.








5. Optional: Type a unique description for the entry.


Directory Indexing attacksThis type of attack exploits a function of the Web server that lists all the fileswithin a requested directory if the normal base file is not present.

About this attack

When a user types in a request for a page on a Web site, the Web server processesthe request, searches the Web document root directory for the default file name,and then sends this page to the user. If the server cannot find the page, it willissue a directory listing and send the output in HTML format to the user.

This action allows the contents of unintended directory listings to be disclosed tothe user because of software vulnerabilities combined with a specific Web request.This information leak can provide an attacker with the information necessary tolaunch further attacks against the system.

The information leak might include some of these files or user information:v Backup files that use file name extensions, such as BAK, OLD, or ORIG

v Temporary files that have been purged from the server, but might still beavailable

v Hidden files with file names that start with a . (period)v Naming conventions where the attacker can determine how the Web site names

directories or filesv Personal user accounts on a Web server where the user has named their home

directory with the same name as their user accountv Configuration file contents that might contain access control data and use file

name extensions, such as CONF, CFG, or CONFIG

v Directory indexing of the cgi-bin contents that might enable an attacker todownload or review script code if permissions are incorrect

In some cases, an attacker might be able to access an unintended directory listingor index by exploiting one of these vulnerabilities:v Web server configured incorrectly to allow or provide a directory indexv Web server allows a directory index even though it has been disabled in the

configuration file or if an index page is presentv Cache database used by Google might contain historical data including directory

indexes from past scans of a specific Web site


The Web Application Security signatures triggered by Directory Indexing attacksinclude:


Table 10. Directory Indexing signatures


HTTP_Apache_Macros_dir

Detects an HTTP GET request for the.dS_store or .FBCIndex files.

More information:

IBM X-Force: Apple Mac OS X used with Apache Web server could disclose directorycontents (http://www.iss.net/security_center/static/7103.php)


HTTP_Tomcat_Nulllist

Checks for a specially-crafted URL designed to obtain a list of directories from an ApacheTomcat servlet container.

More information:

IBM X-Force: Apache Tomcat URL appended with a null character could list directories(http://www.iss.net/security_center/static/11194.php)


Configuring responses to prevent Directory Indexing attacksUse this procedure to configure responses for signatures that are triggered by WebApplication Security after it has detected a Directory Indexing attack on networktraffic.

Procedure1. Click Protection Categories → Directory Indexing in the navigation pane.2. Set a response for the attack triggered by the Directory Indexing protection

category:













Information Disclosure attacksThis type of attack is aimed at acquiring system specific information about a Website including software distribution, version numbers, and patch levels. Theacquired information might also contain the location of backup files or temporaryfiles.

About this attack

Most Web sites will disclose some amount of information. The more informationthat an attacker learns about a Web site, the easier the system will be tocompromise.

Types of Information Disclosure attacks

The following types of attacks are considered Information Disclosure attacks:

Table 11. Information Disclosure attacks


Directory Indexing Exploits a function in a Web server that lists all the files within arequested directory if the normal base file is not present.Reference: See “Directory Indexing attacks” on page 27 for moreinformation about this type of attack.

Information Leakage Exploits a Web site that reveals sensitive data, such as developercomments or error messages.

Path Traversal Forces access to files, directories, and commands that are locatedoutside the Web document root directory.Reference: See “Path Traversal attacks” on page 63 for moreinformation about this type of attack.

Predictable ResourceLocation

Uncovers hidden Web site content and functions.


The Web Application Security signatures triggered by Information Disclosureattacks include:

Table 12. Information Disclosure signatures


HTTP_Apache_ServerInfo

Looks for an HTTP request with the Apache server-info handler specified.

More information:

IBM X-Force: Apache HTTP Server server-info request has been detected(http://www.iss.net/security_center/static/16890.php)

HTTP_Apache_ServerStatus

Looks for an HTTP request with the Apache server-status handler specified.

More information:

IBM X-Force: Apache HTTP Server server-status request has been detected(http://www.iss.net/security_center/static/16889.php)




Table 12. Information Disclosure signatures (continued)


HTTP_Apache_Trailing_Slash

Detects attempts to view the source of PHP pages by exploiting a vulnerability that existswhen the PHP site is hosted on a Windows samba file share and the requested page nameis appended with a \ to the .php file extension in the URL.

More information:

IBM X-Force: Apache HTTP Server Windows SMB shares information disclosure(http://www.iss.net/security_center/static/39158.php)


HTTP_Bash_Shell_History

Detects HTTP URLs that contain */.bash_history or */.history.

This signature replaces HTTP_ShellHistory.

More information:

IBM X-Force: Cobalt RaQ Web server could reveal user’s command history(http://www.iss.net/security_center/static/1831.php)


HTTP_ColdFusion_Debug

Detects an HTTP URL that contains the string *.cfm and that also has a parameter/valuepair of mode=debug in the query string.

More information:

IBM X-Force: ColdFusion Debugging mode could allow the path to ″.cfm″ files to berevealed (http://www.iss.net/security_center/static/6792.php)

HTTP_FileTypeLnk

Detects an attempt to access a .lnk file (/*/*.lnk). Under some circumstances, an attackermight use such a file to gain access to privileged information on the client system.

This signature replaces HTTP_IE3_URL.

More information:

IBM X-Force: Microsoft Internet Explorer 3.0 allows remote command execution(http://www.iss.net/security_center/static/463.php)

HTTP_FileTypeUrl

Detects an attempt to access a .url file (/*/*.url). Under some circumstances, an attackermight use such a file to gain access to privileged information on the client system.

This signature replaces HTTP_IE3_URL.

More information:

IBM X-Force: Microsoft Internet Explorer 3.0 allows remote command execution(http://www.iss.net/security_center/static/463.php)













HTTP_FrontPage_Authors

Detects a request for the author’s password.

More information:

IBM X-Force: Microsoft FrontPage Extensions authors.pwd file could reveal encryptedpasswords (http://www.iss.net/security_center/static/3393.php)

HTTP_FrontPage_PWD

Detects a request for the Administrator’s password.

More information:

IBM X-Force: Microsoft FrontPage Extensions administrators.pwd file could revealencrypted passwords (http://www.iss.net/security_center/static/3390.php)

HTTP_IIS_Obtain_Code

Detects HTTP GET requests that include the string +.htr, which might indicate an attemptby an attacker to view the source of files on the Web server.

More information:

IBM X-Force: Microsoft IIS allows remote attackers to obtain source code fragments using+.htr (http://www.iss.net/security_center/static/5104.php)


HTTP_IIS_Track

Looks for an HTTP request that sets track. This leads to returning sensitive informationfrom the server. IIS does not properly log this request.

More information:

IBM X-Force: Microsoft Internet Information Server (IIS) fails to properly log HTTP TRACKrequests (http://www.iss.net/security_center/static/14077.php)

HTTP_IIS_Trailing_Incomplete_Unicode

Detects specially-crafted URLs that contain a trailing %81 through %fe. Such URLs mightindicate an attacker’s attempt to cause a server to return an original file, rather thanexecuting the file, which might reveal critical information about the server to the attacker.

Server source code often contains hidden passwords, hidden file names, or easy-to-discoverbugs. The attacker can then use this hidden information to break into the server.

More information:

IBM X-Force: Microsoft IIS using double-byte code pages could allow remote attackers toretrieve source code (http://www.iss.net/security_center/static/2302.php)












HTTP_JSP_SourceRead

Detects a URL ending with the file name extension .jsp or .jhtml where any of the lettersin the extension are not lowercase.

More information:

IBM X-Force: BEA WebLogic allows users to read source of JSP files (http://www.iss.net/security_center/static/4694.php)


HTTP_Microsoft_Error_Report

Detects the reporting of a Windows application error such as a crashed or stopped process.

More information:

IBM X-Force: Microsoft Windows error report transmission detected (http://www.iss.net/security_center/static/29253.php)

HTTP_Netscape_List_Directories

Detects the use of an HTTP INDEX request that Netscape Enterprise Web servers support.An attacker can use this request to gain access to sensitive information.Known false positives: A false positive is possible for legitimate HTTP INDEX requests.Though there are legitimate reasons for HTTP INDEX requests, such a request can be usedby an attacker to gain access to sensitive information about Netscape Enterprise Webservers.

More information:

IBM X-Force: Netscape Enterprise Server allows remote directory listing(http://www.iss.net/security_center/static/5997.php)


HTTP_Netware_DirList

Detects an HTTP command consisting of get (lowercase) and a URL of /.

More information:

IBM X-Force: Novell NetWare GET allows directory listing (http://www.iss.net/security_center/static/6988.php)


HTTP_Orion_JSP_SourceRead

Detects a URL ending with the file name extension .jsp (.jsp followed by a space).

More information:

IBM X-Force: Orion Application Server JSP source code disclosure (http://www.iss.net/security_center/static/25405.php)


















HTTP_Passwd_Txt

Detects HTTP GET requests for the passwd.txt file.

More information:

IBM X-Force: WWWBoard’s administrator password file is remotely accessible(http://www.iss.net/security_center/static/3383.php)


HTTP_PHP_Addslashes_ViewFiles

Detects a specially-crafted URL that might be used to view arbitrary files on the system.

More information:

IBM X-Force: PHP addslashes view files (http://xforce.iss.net/xforce/xfdb/18516)


HTTP_PHPNuke_Admin_Overwrite

Detects an HTTP URL that contains the string */admin.php, and also uses a query stringthat starts with upload.

More information:

IBM X-Force: PHP-Nuke admin.php could allow remote attackers to upload and overwritefiles

CVE-2001-1032

HTTP_POST_Filename_passwd

Detects an HTTP POST command that references a file name that includes the string*/passwd or the string */shadow.

More information:

IBM X-Force: passwd file accessed (http://www.iss.net/security_center/static/1069.php)

HTTP_POST_Filename_sam

Detects an HTTP POST command that references a file name that includes the string*/sam._.

More information:

IBM X-Force: Access attempt made to Windows NT SAM (Security Accounts Manager) fileor its backup (http://www.iss.net/security_center/static/3708.php)













HTTP_PsaPhp_RevealSource

Detects HTTP URLs that have a path that begins with /~ and that references a file namethat contains the string *.php.Known false positives: HTTP requests for URLs detected by this signature are only a riskif the Plesk Server Administrator (PSA) program for Unix and Linux® Web servers isinstalled.

More information:

IBM X-Force: Plesk Server Administrator (PSA) reveals PHP source code(http://www.iss.net/security_center/static/7735.php)

CVE-2001–1222 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1222)

HTTP_Server_ID

Detects server ID requests and lists any information disclosed as a result of this command.Note: This security event is categorized as an audit event. It does not necessarily indicatean attack or threat on your network.

More information:

IBM X-Force: HTTP server identity audit (http://www.iss.net/security_center/static/8649.php)

HTTP_Tunnel_Not_TLS_or_SSL

Detects an HTTP CONNECT request where the tunnelled data does not immediately beginwith a SSL or TLS hello exchange.

While this signature does not indicate an attack on your network, it does indicate trafficthat might be considered suspicious in an environment where HTTP tunnelling is expectedonly by HTTP proxies to secure Web sites.Known false negatives: Unnaturally fragmented data streams might generate a falsenegative indication of this condition.

More information:

IBM X-Force: HTTP unencrypted CONNECT security bypass (http://www.iss.net/security_center/static/27958.php)

HTTP_Unix_Passwords

Detects an HTTP GET request for a passwd or shadow password file.

More information:

IBM X-Force: passwd file accessed (http://www.iss.net/security_center/static/1069.php)

HTTPS_Proxy_Info_Disclosure

Detects Basic Authentication over a proxy server for HTTPS communications that mightlead to possible information disclosure.

More information:

IBM X-Force: Microsoft Internet Explorer HTTPS proxy authentication informationdisclosure (http://www.iss.net/security_center/static/23451.php)












Tivoli_LCF_File_Read

Detects an HTTP GET request to manipulate the Tivoli® LCF log file parameter, possibly toread files with elevated privileges.

More information:

IBM X-Force: IBM Tivoli LCF httpd can be used to remotely access files as root(http://www.iss.net/security_center/static/3927.php)


Configuring responses to prevent Information Disclosureattacks

Use this procedure to configure responses for signatures that are triggered by WebApplication Security after it has detected an Information Disclosure attack onnetwork traffic.

Procedure1. Click Protection Categories → Information Disclosure in the navigation pane.2. Set a response for the attack triggered by the Information Disclosure protection

category:





Block the attack Important: IBM X-Force recommends thatyou disable blocking for InformationDisclosure attacks, because you couldunintentionally block legitimate connections.







Injection attacksThis type of attack allows an attacker to inject code into a program or query orinject malware onto a computer in order to execute remote commands that canread or modify a database, or change data on a Web site.

Types of Injection attacks

The following types of attacks are considered Injection attacks:

Table 13. Injection attacks


Blind SQLInjection

Allows an attacker to use an error page returned by the databaseserver to ask a series of True and False questions using SQLstatements in order to gain total control of the database or executecommands on the system.

Blind XPathInjection

Allows an attacker who does not know the structure of an XMLdocument to use methods that attempt to determine the structure ofthe document.

Buffer Overflow Alters the flow of an application by overwriting parts of memory.

Format StringAttack

Alters the flow of an application by using string formatting libraryfeatures to access other memory space.

In this type of attack, data provided by users might be used asformatting string input for certain C/C++ functions (for example:fprintf, printf, sprintf, setproctitle, syslog).

LDAP Injection Exploits Web sites that construct LDAP (Lightweight Directory AccessProtocol) statements from data provided by users.

In this type of attack, an attacker might modify LDAP statementsusing a local proxy in order to execute arbitrary commands (grantingpermissions to unauthorized queries) or modify the content of theLDAP tree.

OS Commanding Exploits Web sites by injecting an operating system command throughan HTTP request to the Web application.

In this type of attack, an attacker might upload malicious programs orobtain passwords.

SQL Injection Takes advantage of the SQL syntax to inject commands that can reador modify a database, or compromise the meaning of the original SQLquery.

In this type of attack, an attacker can spoof identity; expose, tamper,destroy, or make existing data unavailable; become the Administratorof the database server.

SSI Injection Allows an attacker to send code to a Web application, which will laterbe executed locally by the Web server.

In this type of attack, an attacker exploits the failure of the Webapplication to filter data provided by users before it inserts that datainto a server-side interpreted HTML file.


Table 13. Injection attacks (continued)


XPath Injection Exploits Web sites that allow an attacker to inject data into anapplication in order to execute XPath queries. (XPath is a querylanguage that describes how to locate specific elements, such asattributes or processing instructions in an XML document.)

In this type of attack, the attacker might be able to bypassauthentication or access information without needing properauthorization.


The Web Application Security signatures triggered by Injection attacks include:

Table 14. Injection Attack signatures


HTTP_GET_ComputeSum

Detects attempts to execute the database command COMPUTE SUM through an HTTP GETrequest.

Reference: See the XPath Injection signature for descriptions and values of these tuningparameters:pam.injection.http.headers.enabledpam.injection.http.hostpath.enabledpam.parser.argument.injection.enabledpam.injection.param.ignore

More information:

IBM X-Force: HTTP GET contains compute%sum (http://www.iss.net/security_center/static/9604.php)

HTTP_GET_CreateTable

Detects attempts to execute the database command CREATE TABLE through an HTTP GETrequest.


More information:

IBM X-Force: HTTP GET contains create%table (http://www.iss.net/security_center/static/9600.php)






Table 14. Injection Attack signatures (continued)


HTTP_GET_GroupBy

Detects attempts to execute the database command GROUP BY through an HTTP GETrequest.Known false positives: A false positive for this signature is possible when a user sends arequest to an HTTP server that contains a string of group by or group+by.


More information:

IBM X-Force: HTTP GET contains group%by (http://www.iss.net/security_center/static/9602.php)

HTTP_GET_SQL_Convert_Int

Detects the SQL command of convert(int,...) through HTTP GET requests.


More information:

IBM X-Force: HTTP SQL Injection CONVERT statement usage (http://www.iss.net/security_center/static/22250.php)

HTTP_GET_SQL_OpenRowSet

Checks HTTP GET requests for usage of the OPENROWSET SQL statement.Note: This does not necessarily indicate there is an attack on the network, but it might bean attempt at SQL injection.


More information:

IBM X-Force: HTTP SQL ″OPENROWSET″ statement usage (http://www.iss.net/security_center/static/11566.php)










HTTP_GET_SQL_Select_Count

Detects the SQL command of select count(*) through HTTP GET requests.


More information:

IBM X-Force: SQL injection SELECT count detected (http://www.iss.net/security_center/static/26128.php)

HTTP_GET_SQL_Select_Top_1

Detects the SQL command of select top 1 through HTTP GET requests.


More information:


HTTP_GET_SQL_UnionAllSelect

Checks HTTP GET requests for usage of the UNION ALL SELECT SQL statement.Note: This does not necessarily indicate there is an attack on the network, but it might bean attempt at SQL injection.


More information:

IBM X-Force: HTTP SQL ″UNIONALLSELECT″ statement usage (http://www.iss.net/security_center/static/11567.php)










HTTP_GET_SQL_UnionSelect

Checks HTTP GET requests for usage of the UNION SELECT SQL statement.Note: This does not necessarily indicate there is an attack on the network, but it might bean attempt at SQL injection.


More information:

IBM X-Force: HTTP SQL ″UNIONSELECT″ statement usage (http://www.iss.net/security_center/static/11568.php)

HTTP_GET_SQL_WaitForDelay

Checks HTTP GET requests for usage of the WAITFOR DELAY SQL statement.Note: This does not necessarily indicate there is an attack on the network, but it might bean attempt at SQL injection.


More information:

IBM X-Force: HTTP SQL ″WAITFORDELAY″ statement usage (http://www.iss.net/security_center/static/11569.php)

HTTP_GET_XP_Cmdshell

Detects attempts to execute the sqlServer xp_cmdshell function through an HTTP GETrequest.


More information:

IBM X-Force: HTTP URL contains an SQL xp_cmdshell command shell request(http://www.iss.net/security_center/static/8579.php)









HTTP_IIS_MSSQL_xml


Checks for an HTTP GET request matching either the pattern *.xml or an SQL injectionusing FOR XML with the contenttype argument exceeding more than 239 characters.

More information:

IBM X-Force: Microsoft SQL Server SQLXML ISAPI buffer overflow (http://www.iss.net/security_center/static/9328.php)


HTTP_IIS_MSSQL_XML_Script

Checks for an HTTP GET matching the pattern *.xml with an argument containing scriptinjection.


More information:

IBM X-Force: Microsoft SQL Server SQLXML XML tag script injection (http://www.iss.net/security_center/static/9329.php)


HTTP_POST_ComputeSum

Detects attempts to execute the database command COMPUTE SUM through an HTTP POSTrequest.


More information:

IBM X-Force: HTTP POST contains compute%sum (http://www.iss.net/security_center/static/9605.php)












HTTP_POST_CreateTable

Detects attempts to execute the database command CREATE TABLE through an HTTP POSTrequest.


More information:

IBM X-Force: HTTP POST contains create%table (http://www.iss.net/security_center/static/9601.php)

HTTP_POST_GroupBy

Detects attempts to execute the database command GROUP BY through an HTTP POSTrequest.Known false positives: A false positive for this signature is possible when a user sends arequest to an HTTP server that contains a string of group by or group+by.


More information:

IBM X-Force: HTTP POST contains group%by (http://www.iss.net/security_center/static/9603.php)

HTTP_POST_SQL_Convert_Int

Detects the SQL command of convert(int,...) through HTTP POST requests.


More information:











HTTP_POST_SQL_OpenRowSet

Checks HTTP POST requests for usage of the OPENROWSET SQL statement.Note: This does not necessarily indicate there is an attack on the network, but it might bean attempt at SQL injection.


More information:

IBM X-Force: HTTP SQL ″OPENROWSET″ statement usage (http://www.iss.net/security_center/static/11566.php)

HTTP_POST_SQL_Select_Count

Detects the SQL command of select count(*) through HTTP POST requests


More information:


HTTP_POST_SQL_Select_Top_1

Detects the SQL command of select top 1 through HTTP POST requests.


More information:

IBM X-Force: HTTP SQL injection SELECT statement usage (http://www.iss.net/security_center/static/22248.php)










HTTP_POST_SQL_WaitForDelay

Checks HTTP POST requests for usage of the WAITFOR DELAY SQL statement.Note: This does not necessarily indicate there is an attack on the network, but it might bean attempt at SQL injection.


More information:

IBM X-Force: HTTP SQL ″WAITFORDELAY″ statement usage (http://www.iss.net/security_center/static/22248.php)

HTTP_POST_SQL_UnionAllSelect

Checks HTTP POST requests for usage of the UNION ALL SELECT SQL statement.Note: This does not necessarily indicate there is an attack on the network, but it might bean attempt at SQL injection.


More information:

IBM X-Force: HTTP SQL ″UNIONALLSELECT″ statement usage (http://www.iss.net/security_center/static/11567.php)

HTTP_POST_SQL_UnionSelect

Checks HTTP POST requests for usage of the UNION SELECT SQL statement.Note: This does not necessarily indicate there is an attack on the network, but it might bean attempt at SQL injection.


More information:

IBM X-Force: HTTP SQL ″UNIONSELECT″ statement usage (http://www.iss.net/security_center/static/11568.php)










HTTP_POST_XP_Cmdshell

Detects attempts to execute the sqlServer xp_cmdshell function through an HTTP POSTrequest.


More information:

IBM X-Force: HTTP POST command contains SQL command shell request(http://www.iss.net/security_center/static/8647.php)

HTTP_Shells_C

Detects attempts to cause the C shell to execute commands.

This signature detects any calls to the C shell at any location (not only the cgi-bindirectory) within or outside the Web server.

This signature replaces HTTP_Shells.

More information:

IBM X-Force: Shell interpreters can be used to execute commands on Web servers(http://www.iss.net/security_center/static/146.php)


HTTP_Shells_Ksh

Detects attempts to cause the Korn shell to execute commands.

This signature detects any calls to the Korn shell at any location (not only the cgi-bindirectory) within or outside the Web server.


More information:











HTTP_Shells_Perl

Detects attempts to cause the Perl shell to execute commands.

This signature detects any calls to the Perl shell at any location (not only the cgi-bindirectory) within or outside the Web server.


More information:



HTTP_Shells_Perl_Exe

Detects attempts to cause the Perl shell to execute commands.

This signature detects any calls to the Perl shell at any location (not only the cgi-bindirectory) within or outside the Web server.


More information:



HTTP_Shells_Rksh

Detects attempts to cause the restricted Korn shell to execute commands.

This signature detects any calls to the restricted Korn shell at any location (not only thecgi-bin directory) within or outside the Web server.


More information:












HTTP_Shells_Sh

Detects attempts to cause the Bourne shell to execute commands.

This signature only detects calls to the Bourne shell in the cgi-bin directory.


More information:



HTTP_Shells_Tcsh

Detects attempts to cause the tcsh shell to execute commands.

This signature detects any calls to the tcsh shell at any location (not only the cgi-bindirectory) within or outside the Web server.


More information:



LDAP_Injection

Detects attempts to compromise Web sites that construct LDAP (Lightweight DirectoryAccess Protocol) statements from data provided by users.


Shell_Command_Injection

Detects a Shell Command injection attempt by combining commands and symbols used inshell programming languages.


More information:

IBM X-Force: Shell command injection attempt detected (http://www.iss.net/security_center/static/33012.php)










SQL_Injection

Heuristically detects SQL injection attempts by weighing various Data Definitionstatements, Data Manipulation statements, operators, functions, keywords, and symbols ofthe SQL programming language.


Reference: See “Configuring responses and tuning parameters to prevent Injection attacks”on page 50 for descriptions and values of these tuningparameters:pam.parser.argument.injection.enabledpam.injection.argument.token.limitpam.injection.sql.pedanticpam.injection.sql.boolean.triggerspam.injection.sql.chaff.limitpam.injection.sql.score

More information:

IBM X-Force: SQL Injection affects multiple database-backed applications(http://www.iss.net/security_center/static/8783.php)

SQL_Jet_Query_Overflow

Looks for a SQL query with excessive SQL token delimiters potentially allowing anattacker to overflow the Microsoft Jet Database engine.


More information:

IBM X-Force: Microsoft Jet Database Engine query could execute code (http://www.iss.net/security_center/static/15703.php)









XPATH_Injection

Triggers when well known boolean injection patterns are detected.

In the absence of an SQL Injection event, it is more likely that an XPATH injection attempthas been made.

pam.injection.http.headers.enabled: Determines whether injection attempts (SQL, Shell,XSS, XPATH, LDAP) will be detected in HTTP headers, such as Cookie: and Referer:.Note: Disabling this tuning parameter will result in a performance improvement.

pam.injection.http.hostpath.enabled: Determines whether injection attempts (SQL, Shell,XSS, XPATH, LDAP) will be detected in the //host/path/filename portion of the HTTPURL.Note: Disabling this tuning parameter will result in a performance improvement.

pam.parser.argument.injection.enabled: Turns the Injection Logic Engine ON or OFF. Thisaffects all SQL injection signatures, all Shell Command injection signatures, and allcross-site scripting injection signatures. The default value for this tuning parameter isenabled.

pam.injection.param.ignore: Defines a parameter name to ignore when performinginspection for SQL injection, Shell Command injection, cross-site scripting, and otherrelated attacks.

More information:

IBM X-Force: XPath injection attempt detected (http://www.iss.net/security_center/static/15308.php)




Configuring responses and tuning parameters to preventInjection attacks

Use this procedure to configure responses and tuning parameters for signaturesthat are triggered by Web Application Security after it has detected an InjectionAttack on network traffic.

Procedure1. Click Protection Categories → Injection Attacks in the navigation pane.2. Set a response for the attack triggered by the Injection Attacks protection

category:








3. Set these values:Attention: If you need to modify settings for these parameters, make sure youwork with your IBM ISS Support representative to avoid assigninginappropriate settings that might cause the engine to behave incorrectly.

Injection setting and description Value

SQL Token Limit: Defines the maximum delimited wordsthat are scanned before PAM terminates attempts to findargument injections.

If no argument injection attempt is found within this limit,then the scan is terminated.

PAM parameter: pam.injection.argument.token.limit

0 or -1 = Disables behavior(All content associated witha given item is scanned.)

Default value = 8

Minimum value = 0

Maximum value =4294967295



SQL Chaff Limit: Defines the maximum number ofnon-interesting data (chaff) combined with SQL data (datathat is recognized as SQL injection attempt keywords) thatcan be allowed before prohibiting any SQL injectionsignature to trigger, even if an SQL injection signaturemight otherwise trigger.

False negatives: Because of the nature of the SQL Injectionheuristics engine, some parts of routine SQL statementsmight be interpreted as non-interesting data (chaff) resultingin false negatives.

PAM parameter: pam.injection.sql.chaff.limit

-1 = Disables behavior (Alldata is accepted duringattempts to find a SQLinjection pattern.)

Default value = -1

Minimum value =-2147483648


SQL Score: Determines the value that must be met beforetriggering the SQL_Injection signature.

The score is calculated by finding various SQL keywordsand patterns (Data Definition statements, Data Manipulationstatements, and various SQL functions) within the databeing scanned.

PAM parameter: pam.injection.sql.score

Default value = 4



SQL Pedantic: Affects the behavior of SQL injectiondetection by requiring that the first token found should beeither a single quote or a double dash.

Some SQL injection vulnerabilities might require theseescape characters to be present.

This tuning parameter affects both the SQL_Injectionsignature and the legacy SQL injection signature.

False negatives: This tuning parameter might produce falsenegatives. You should have thorough working knowledge ofthe applications you are attempting to protect before youenable this tuning parameter.

PAM parameter: pam.injection.sql.pedantic

0 = Disables behavior

1 = Enables behavior

Default value = 0



SQL Boolean Triggers: Affects the behavior of SQL injectiondetection by causing the SQL_Injection signature to triggerwhen an SQL boolean pattern is detected.

Reference: See the SQL Score setting above.

PAM parameter: pam.injection.sql.boolean.triggers


1 = Boolean pattern inconjunction with SQLkeywords triggers theSQL_Injection event, even ifthe SQL score threshold hasnot been met

2 = Boolean pattern alwaystriggers the event even ifSQL keywords are notpresent in conjunction withthe boolean pattern.Attention: This value mightlead to false positives in theSQL_Injection signature.

Default value = 1



Shell Score: Determines the value that must be met beforetriggering the SQL_Injection signature.

PAM parameter: pam.injection.shellcommand.score

Default value = 4



Shell Pedantic: Examines various combinations ofcommands and symbols used in shell programminglanguages.

PAM parameter: pam.injection.shell.pedantic


1 = Enables behavior

Default value = 1



Attention: Use this tuning parameter to define a parameter name that youwant to ignore during the inspection of SQL injections, Shell Commandinjections, cross-site scripting attacks, and other related attacks.

The tuning parameter uses the following syntax:pam.injection.param.ignore.{issueid}=name

If the engine detects the name value as the parameter name associated with thegiven issue ID, then the event is not reported.

In the following example, the name value is defined as the name portion in GETargument/query data name=value pairs, or the POST data name=value pairs forany other value as reported by one of the injection signatures.

Example: For the URL GET /marvey-bbs.cgi?foo=how+do+you+perform+select+top+1+where+..., the tuning parameter uses avalue of foo to bypass data: pam.injection.param.ignore.2110063=foo

This parameter stops the HTTP_GET_SQL_Select_Top_1 (2110063) event fromtriggering on data associated with the foo argument name. To prevent theinjection signature from triggering on foo altogether, use the syntax:pam.injection.param.0=foo






Malicious File Execution attacksThis type of attack allows an attacker to perform remote code execution, remoteroot kit installation, complete system compromise, and internal system compromise(on Windows systems) through the use of SMB file wrappers for the PHP scriptinglanguage.

About this attack

All Web application frameworks are vulnerable to this attack if they accept filenames or files from a user.

Examples of this attack include:v NET assemblies that allow URL file name argumentsv Code that accepts the user’s choice of file name to include local files


The Web Application Security signatures triggered by Malicious File Executionattacks include:

Table 15. Malicious File Execution signatures


HTTP_PHP_CRLF_Injection

Detects an HTTP header injection attempt in the argument data to a PHP script.

More information:

IBM X-Force: PHP fopen() and file() CRLF injection (http://www.iss.net/security_center/static/10080.php)


HTTP_PHP_Includedir

Detects an HTTP URL request for a PHP file.

The URL also uses a query string that begins with includedir=http:.

More information:

IBM X-Force: Multiple vendor open-source PHP projects could allow remote commandexecution (http://www.iss.net/security_center/static/7215.php)


HTTP_PHP_Script_Injection

Detects a PHP injection attempt that might be used to execute arbitrary code on a Webserver.

More information:

IBM X-Force: HTTP PHP script injection attempt detected (http://www.iss.net/security_center/static/43714.php)









Table 15. Malicious File Execution signatures (continued)


HTTP_PHP_Transfer_XSS

Detects a PHP script as content to an HTTP response. This is a strong indication of a PHPinclude() / require() overwrite attack.

More information:


HTTP_Server_Side_Include_Injection

Detects a Server Side Include injection attempt designed to execute arbitrary code on aWeb server.

More information:

IBM X-Force: HTTP Server Side Include injection attempt detected (http://www.iss.net/security_center/static/43801.php)

Configuring responses and tuning parameters to preventMalicious File Execution attacks

Use this procedure to configure responses and tuning parameters for signaturesthat are triggered by Web Application Security after it has detected a Malicious FileExecution attack on network traffic.

Procedure1. Click Protection Categories → Malicious File Execution in the navigation pane.2. Set a response for the attack triggered by the Malicious File Execution

protection category:



















Miscellaneous attacksThis type of attack exploits vulnerable Web servers by forcing cache servers or Webbrowsers into disclosing user specific information that might be sensitive andconfidential.

About this attack

The following attacks are the most common type of attacks for this category:

Table 16. Miscellaneous attacks


HTTP ResponseSmuggling

Allows an unauthenticated, remote attacker to send multiple HTTPrequests designed to cause two targeted entities to receive differentrequests.

This attack can be used to send a malicious request to one entitywhile the other is unaware in order to perform cross-site scriptingattacks, Web cache poisoning attacks, or bypass Web applicationfirewall protection.

Many Web servers, firewalls, and proxy servers are susceptible to thisattack, however the impact of the attack is really determined by theparsing methods of the specific product being attacked.

HTTP ResponseSplitting

Allows an attacker to send a single HTTP request that forces the Webserver to form an output stream, which is then interpreted by thetarget as two HTTP responses instead of one response.

This attack can be used to perform cross-site scripting attacks,cross-user defacement, Web cache poisoning attacks, and similarexploits.

JSON Hijacking Allows malicious Web sites to intercept confidential data delivered inJSON format.

This attack takes advantage of Web browsers that allow scripts tooverride the core language’s object setter routines. These routines usemalicious JavaScript to insert logic that allows it to monitor JSONmessages returned from a server.


The Web Application Security signatures triggered by Miscellaneous attacksinclude:

Table 17. Miscellaneous Attack signatures


HTTP_Acunetix_WVS_Scan

Looks for scans by the Acunetix Web Vulnerability Scanner.

More information:

IBM X-Force: HTTP Acunetix WVS scan detected (http://www.iss.net/security_center/static/31973.php)




Table 17. Miscellaneous Attack signatures (continued)


HTTP_Alternates_Corrupt

Detects an Alternates header in an HTTP response that uses unbalanced curly braces,which indicates an HTTP response splitting attack, cross-site scripting, or Web cachepoisoning.

More information:

IBM X-Force: Apache HTTP Server mod_negotiation HTTP response splitting(http://www.iss.net/security_center/static/39893.php)


HTTP_Connect_Proxy_Bypass_SMTP

Checks for a HTTP CONNECT command that attempts to connect to port 25.Known false positives: This should never trigger on external/public facing networks, butit might trigger on internal networks where users are expected to use HTTP proxies inorder to send SMTP traffic. However, such configurations are exceedingly rare.

More information:

IBM X-Force: HTTP server CONNECT method used to bypass filtering(http://www.iss.net/security_center/static/15646.php)

HTTP_Content_Length_Invalid

Detects a non-numeric HTTP Content-Length parameter.Note: This does not necessarily indicate that there is an attack on the network, but couldindicate an IDS evasion attempt, DNS cache poisoning attack, or other possible maliciousactivity.

HTTP_CRLF_Injection_Response_Splitting

Detects malicious HTTP requests that might indicate an attacker’s attempt at exploitingCRLF injection attacks, which could result in HTTP response splitting. These attacks can beused to create localized defacements, cache poisoning, cross-site scripting, or phishing.

More information:

IBM X-Force: HTTP CRLF injection detected (http://www.iss.net/security_center/reference/vuln/HTTP_CRLF_Injection_Response_Splitting.htm)





http://www.iss.net/security_center/reference/vuln/HTTP_CRLF_Injection_Response_Splitting.htm

http://www.iss.net/security_center/reference/vuln/HTTP_CRLF_Injection_Response_Splitting.htm



HTTP_Field_With_Binary

Detects HTTP requests with fields larger than 100 bytes and contain more than 5 bytes ofbinary (non-ASCII) data.

You can use the advanced tuning parameter pam.http.binary.fieldlength to change theminimum field size from its default of 100.

You can use the advanced tuning parameter pam.http.binary.count to change the minimumnumber of binary bytes that must be present from its default of 5.

pam.http.binary.count: Controls the threshold of the HTTP_Field_With_Binary signature.Type= numberDefault value= 20Minimum value= 0Maximum value= 4294967295

pam.http.binary.fieldlength: Controls the threshold of the HTTP_Field_With_Binarysignature.Type= numberDefault value= 100Minimum value= 1Maximum value= 4294967295

More information:

IBM X-Force: HTTP field contains binary characters (http://www.iss.net/security_center/static/8540.php)

HTTP_Fields_With_Binary

Detects HTTP requests for multiple fields of any size that contains any binary (non-ASCII)data. Detection algorithm values are configurable through psom settings:maxHttpBinaryFields, max field count for fields with binary data using a default of 3.

pam.http.binary.fieldcount: Specifies the number of fields in an HTTP request that mightcontain binary data before PAM considers it to be unusual and triggersHTTP_Fields_With_Binary.Type= numberUnits= fieldsDefault value= 3Minimum value= 0Maximum value= 2147483647

More information:

IBM X-Force: HTTP requests with multiple fields containing binary data(http://www.iss.net/security_center/static/7872.php)







HTTP_Proxy_Cache_Poisoning

Detects HTTP server responses that can corrupt the caches of HTTP proxy servers.

Microsoft Internet Security and Acceleration (ISA) and Microsoft Small Business Servercould allow a remote attacker to perform cache poisoning, caused by improper handling ofHTTP headers.

By sending multiple content-length headers along with specially-crafted requests, a remoteattacker could poison the vulnerable server’s cache. A remote attacker could exploit thisvulnerability to bypass policy restrictions or redirect users to unexpected content.Note: For a remote attacker to exploit this vulnerability, the server must have multipleWeb sites published. Cache poisoning is limited to the IP address or domain name of thetarget server.

More information:

IBM X-Force: Microsoft ISA Server HTTP header cache poisoning (http://www.iss.net/security_center/static/20842.php)


HTTP_RPC_Connect

Detects an RPC request tunneled over HTTP. While this signature does not indicate anattack on your network, it does indicate traffic that might be considered suspicious in somenetwork and service configurations.Known false positives: This event will fire any time that the algorithm conditions are met.However, make sure the connections are coming from trusted hosts.

More information:

IBM X-Force: RPC request tunneled over HTTP has been detected (http://www.iss.net/security_center/static/15762.php)

HTTP_Unknown_Protocol

Detects a three-way handshake on port 80, followed by a non-HTTP compliant request,followed by a non-HTTP compliant response.Known false negatives: If a tunnelling application uses valid HTTP protocol to delivercontent (for example, by using the POST method), then this signature will not trigger.More information:

IBM X-Force: HTTP unknown protocol (http://www.iss.net/security_center/static/21259.php)

HTTP_URLscan

Detects URL requests used by certain vulnerability scanners that an attacker might use toscan your network for vulnerabilities.

More information:

IBM X-Force: HTTP URL scan (http://www.iss.net/security_center/static/8534.php)












HTTPS_Apache_ClearText_DoS

Detects an unencrypted HTTP request on port 443 that might cause the Apache Web serverto stop responding or return a response that is not valid.

More information:

IBM X-Force: Apache mod_ssl custom error message denial of service http://www.iss.net/security_center/static/24008.php

CVE-2005-3357 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3357

JSON_Hijacking

Detects an attempt to redefine the global Array() or Object() constructors in JavaScript. Thistechnique typically indicates an attempt to intercept private JSON-encoded informationfrom the user’s session with another Web site.Known false positives: Rarely, non-malicious Web developers write non-portableJavaScript that overrides the Array or Object constructors in a way that is difficult todistinguish from exploit code.

More information:

IBM X-Force: Multiple vendor JavaScript Object Notation information disclosure(http://www.iss.net/security_center/static/34445.php)








Configuring responses to prevent Miscellaneous attacksUse this procedure to configure responses for signatures that are triggered by WebApplication Security after it has detected a Miscellaneous attack on network traffic.

Procedure1. Click Protection Categories → Miscellaneous in the navigation pane.2. Set a response for the attack triggered by the Miscellaneous protection category:









Path Traversal attacksThis type of attack forces access to files, directories, and commands that are locatedoutside the Web document root directory or CGI root directory.

About this attack

An attacker can exploit a URL in a way that the Web site executes or disclosescontents of files on the Web server. Even though most Web sites restrict user accessto the Web document root or CGI root directory, an attacker can gain access tothese directories by using special character sequences.

The ../ sequence is a common sequence used by an attacker to access files or toexecute commands on the file system. Even though most Web servers will preventthis technique from escaping the Web document root, you will want to check forthe following alternate encodings of this sequence used to bypass security filters:v Valid and non-valid Unicode-encoding ..%u2216 or ..%c0%af of the forward

slash characterv Back slash characters ..\ on Windows-based serversv URL encoded characters such as %2e%2e%2f

v Double URL encoding ..%255c of the back slash character


The Web Application Security signatures triggered by Path Traversal attacksinclude:

Table 18. Path Traversal signatures


HTTP_Apache_SlashSlash

Detects an HTTP GET followed by a double slash.

More information:

IBM X-Force: Apache GET request directory traversal (http://www.iss.net/security_center/static/13550.php)


HTTP_DotDot

Detects Web requests containing one or more /../ sequences that attempt to navigateabove the top of the Web directory hierarchy.

This is often an attempt to bypass the normal security imposed by the Web server andaccess normally restricted files.

More information:

IBM X-Force: HTTP ″dot dot″ sequences (http://www.iss.net/security_center/static/106.php)

CVE-1999-0229 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0229)CVE-2005-3897 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3897)









Table 18. Path Traversal signatures (continued)


HTTP_DotDotDot

Detects Web requests containing a /... sequence.

More information:

IBM X-Force: HTTP request contains ″dot dot dot″ in the URL (http://www.iss.net/security_center/static/8091.php)

HTTP_GET_DotDot_Data

Detects HTTP GET requests that contain ../../../.. in the data.

More information:

IBM X-Force: HTTP ″dot dot″ sequences (http://www.iss.net/security_center/static/106.php)


HTTP_GET_Dotdotdot_Data

Detects HTTP GET requests that contain /... in the data.

More information:

IBM X-Force: HTTP GET request contains ″dot dot dot″ (http://www.iss.net/security_center/static/8081.php)

HTTP_Perl_Example_Code

Detects Web requests containing one or more ../.. sequences that attempt to navigateabove the top of the Web directory hierarchy and execute an ActiveState Perl program.

More information:

IBM X-Force: Microsoft Internet Information Server (IIS) ActivePerl command execution(http://www.iss.net/security_center/static/16872.php)

HTTP_PhpRocket_Traversal

Detects an HTTP URL which has a query string containing a page= parameter and whoseargument contains a directory traversal (../..).

More information:

IBM X-Force: PHP Rocket Add-in for FrontPage ″dot dot″ directory traversal(http://www.iss.net/security_center/static/7749.php)


HTTP_POST_dotdot_data

Detects a POST command with argument data that contains (../../).

More information:

IBM X-Force: HTTP POST data contains dot dot path (http://www.iss.net/security_center/static/8643.php)


















HTTP_POST_dotdotdot_data

Detects HTTP POSTS that contain (/...).

More information:

IBM X-Force: HTTP POST dot dot dot directory traversal (http://www.iss.net/security_center/static/8536.php)

HTTP_POST_JBoss_Traversal

Detects a POST to the JBoss DeploymentFileRepository service object that is attempting totraverse the directory structure.

More information:

IBM X-Force: JBoss Application Server DeploymentFileRepository directory traversal(http://www.iss.net/security_center/static/30376.php)


HTTP_Sunone_Viewlog

Checks for a specially-crafted URL designed to traverse directories and view files.

More information:

IBM X-Force: Sun ONE Directory Server ViewLog function directory traversal(http://www.iss.net/security_center/static/12874.php)


HTTP_URL_BackslashDotDot

Looks for backslash-dot-dot-backslash encoded as hexadecimal in the raw URL(%5c%2e%2e%5c).

More information:

IBM X-Force: Apache HTTP Server non-Unix version URL encoded directory traversal(http://www.iss.net/security_center/static/8638.php)


HTTP_URL_dotpath

Detects Web requests that contain a /./ sequence. This might indicate an attacker’s attemptto evade an intrusion detection system.

More information:

IBM X-Force: HTTP URL contains /./ (slash dot slash) (http://www.iss.net/security_center/static/8638.php)














HTTP_URL_Repeated_Dot

Detects URLs with repeated . (period or dot) characters.

More information:

IBM X-Force: Microsoft IIS malformed URL extension data denial of service(http://www.iss.net/security_center/static/4430.php)


Configuring responses to prevent Path Traversal attacksUse this procedure to configure responses for signatures that are triggered by WebApplication Security after it has detected a Path Traversal attack on network traffic.

Procedure1. Click Protection Categories → Path Traversal in the navigation pane.2. Set a response for the attack triggered by the Path Traversal protection

category:











Index

AAccess attempt made to Windows NT

SAM (Security Accounts Manager) fileor its backup 33

agent policies, affected 3Allow List 26Allow List entries 26Apache and IBM HTTP Server Expect

header cross-site scripting 21Apache auth_ldap module multiple

format strings 9Apache GET request directory

traversal 63Apache HTTP server beck exploit 14Apache HTTP Server Host: header

cross-site scripting 21Apache HTTP Server HTTP GET request

denial of service 15Apache HTTP Server LF (Line Feed)

denial of service 15Apache HTTP Server mod_negotiation

HTTP response splitting 58Apache HTTP Server non-Unix version

URL encoded directory traversal 65Apache HTTP Server server-info request

has been detected 29Apache HTTP Server server-status

request has been detected 29Apache HTTP Server Windows SMB

shares information disclosure 30Apache mod_jk2 HTTP Host header

buffer overflow 15Apache mod_rewrite off-by-one buffer

overflow 16Apache mod_ssl custom error message

denial of service 61Apache Tomcat JK Web Server Connector

map_uri_to_worker() bufferoverflow 17

Apache Tomcat URL appended with anull character could list directories 28

Apple Mac OS X used with Apache Webserver could disclose directorycontents 28

attack techniquesAuthentication 8Brute Force 11Buffer Overflow 14Client-side Attacks 20Cross-site Request Forgery 25Directory Indexing 27Information Disclosure 29Injection Attacks 36Malicious File Execution 54Miscellaneous Attacks 57Path Traversal 63

Authentication 8HTTP_Auth_ContainsBinary 8HTTP_Auth_TooLong 8HTTP_Authentication_Format_String 9HTTP_Authenticationy 9

Authentication (continued)HTTP_IIS_Hit_Highlighting_Auth_Bypass 9HTTP_Login_Known_User 9HTTPS_ClearText_Session 9

Authentication attack responsesconfiguring 10

Authentication signatures 8

BBEA WebLogic allows users to read

source of JSP files 32Blind SQL Injection 36Blind XPath Injection 36Brute Force 11

HTTP_Forced_Browsing_Probe 12HTTP_Hydra_BruteForce 12

Brute Force attack responsesconfiguring 13

Brute Force signatures 11Buffer Overflow 14

HTTP_Accept_Language_Overflow 14HTTP_Apache_DOS 14HTTP_Apache_Header_Memory_DoS 15HTTP_Apache_JK2_Host_Overflow 15HTTP_Apache_LF_Memory_DoS 15HTTP_IIS_Tilde_DoS 15HTTP_LDAP_Mod_Rewrite_BO 16HTTP_Lighttpd_Header_Overflow 16HTTP_Netscape_Revlog 16HTTP_Oracle2_BO 16HTTP_PHPNuke_Index_File 17HTTP_PHPNuke_ModulesPhp_DOS 17HTTP_PHPNuke_Prefix_Admin 17HTTP_POST_repeated_char 17HTTP_Tomcat_URI_Overflow 17HTTP_URL_repeated_char 18HTTP_WebDAV_Long_Rqst_DOS 18HTTP_WebDAV_XML_Attribute_DoS 18HTTPS_Apache_ClearText_DoS 61

Buffer Overflow attack responsesconfiguring 19

Buffer Overflow signatures 14

CClient-side attack responses

configuring 24Client-side attack signatures 20Client-side Attacks 20, 21, 22

Cross_Site_Scripting 20HTTP_Apache_Expect_XSS 21HTTP_Apache_OnError_XSS 21HTTP_Cross_Site_Scripting 21HTTP_Html_In_Ref 22HTTP_HTML_Tag_Injection 22HTTP_IFRAME_Tag_Injection 22HTTP_MSIS_Script 22HTTP_Nfuse_Script 23HTTP_POST_Script 23

Client-side Attacks (continued)HTTP_Share_Point_XSS 23

Cobalt RaQ Web server could revealuser’s command history 30

ColdFusion Debugging mode could allowthe path to ″.cfm″ files to berevealed 30

content spoofing 20Cross_Site_Scripting 20Cross-site Request Forgery 25

HTTP_AuthResponse_Possible_CSRF 25Cross-site Request Forgery attack

responsesconfiguring 26

CSRFSee Cross-site Request Forgery

CVE-1999-0107 14CVE-1999-0229 63, 64CVE-1999-0280 30CVE-1999-0408 30CVE-1999-0509 45, 46, 47CVE-1999-0725 31CVE-1999-0751 14, 16CVE-1999-0853 8CVE-1999-0883 64CVE-1999-0953 33CVE-2000-0408 66CVE-2000-0499 32CVE-2000-0630 31CVE-2000-0942 22CVE-2000-1104 21CVE-2000-1239 35CVE-2001-0250 32CVE-2001-0251 16CVE-2001-0508 18CVE-2001-1025 17CVE-2001-1032 33CVE-2001-1204 64CVE-2001-1232 32CVE-2001-1236 54CVE-2001-1446 28CVE-2001–1222 34CVE-2002-0186 41CVE-2002-0187 41CVE-2002-0206 17CVE-2002-0504 23CVE-2002-0661 65CVE-2002-1783 54CVE-2003-0042 28CVE-2003-0132 15CVE-2003-0676 65CVE-2003-0718 18CVE-2003-1138 63CVE-2004-0197 48CVE-2004-0942 15CVE-2004-1020 33CVE-2005-1215 60CVE-2005-2379 21CVE-2005-3357 9, 61CVE-2005-3897 63CVE-2005-4360 15


CVE-2006-0032 21CVE-2006-0150 9CVE-2006-0816 32CVE-2006-3747 16CVE-2006-3918 21CVE-2006-5750 65CVE-2007-0774 17CVE-2007-0939 22CVE-2007-1499 21CVE-2007-2385 61CVE-2007-2581 23CVE-2007-6258 15CVE-2007-6514 30CVE-2008-0456 58CWE-425 12

DDirectory Indexing 27

HTTP_Apache_Macros_dir 27, 28HTTP_Tomcat_Nulllist 27, 28

Directory Indexing attack responsesconfiguring 28

Directory Indexing signatures 27

EEnable Client Protection setting 24

Ffirmware, affected 3Forceful Browsing 11Format String Attack 36

GGlobal Tuning Parameters policy 3Global Tuning Parameters Shared Object

policy 2

HHP Rocket Add-in for FrontPage ″dot

dot″ directory traversal 64HTTP ″dot dot″ sequences 63, 64HTTP Acunetix WVS scan detected 57HTTP authentication 9HTTP CRLF injection detected 58HTTP Cross-Site Request Forgery attempt

detected 25HTTP cross-site scripting attempt

detected 20HTTP field contains binary

characters 59HTTP GET contains compute%sum 37HTTP GET contains create%table 37HTTP GET contains group%by 38, 39HTTP GET request contains ″dot dot

dot″ 64HTTP HTML tag injection attempt

detected 22HTTP IFRAME tag injection attempt

detected 22HTTP known user login name 9

HTTP PHP script injection attemptdetected 54

HTTP POST command contains SQLcommand shell request 45

HTTP POST contains compute%sum 41HTTP POST contains create%table 42HTTP POST contains group%by 42HTTP POST contains malicious script 23HTTP POST contains repeated

characters 17HTTP POST data contains dot dot

path 64HTTP POST dot dot dot directory

traversal 65HTTP Referer Header tag detected 22HTTP request contains ″dot dot dot″ in

the URL 64HTTP request contains binary data 8HTTP requests with multiple fields

containing binary data 59HTTP Response Smuggling 57, 58HTTP Response Splitting 57, 58HTTP server CONNECT method used to

bypass filtering 58HTTP server identity audit 34HTTP Server Side Include injection

attempt detected 55HTTP SQL ″OPENROWSET″ statement

usage 38, 43HTTP SQL ″UNIONALLSELECT″

statement usage 39, 44HTTP SQL ″UNIONSELECT″ statement

usage 40, 44HTTP SQL ″WAITFORDELAY″ statement

usage 40, 44HTTP SQL Injection CONVERT statement

usage 38, 42, 55HTTP SQL injection SELECT statement

usage 43HTTP unencrypted CONNECT security

bypass 34HTTP unknown protocol 60HTTP URL contains /./ (slash dot

slash) 65HTTP URL contains an SQL xp_cmdshell

command shell request 40HTTP URL contains repeated

characters 18HTTP URL scan 60HTTP_Accept_Language_Overflow 14HTTP_Acunetix_WVS_Scan 57HTTP_Alternates_Corrupt 58HTTP_Apache_DOS 14HTTP_Apache_Expect_XSS 21HTTP_Apache_Header_Memory_DoS 15HTTP_Apache_JK2_Host_Overflow 15HTTP_Apache_LF_Memory_DoS 15HTTP_Apache_Macros_dir 28HTTP_Apache_OnError_XSS 21HTTP_Apache_ServerInfo 29HTTP_Apache_ServerStatus 29HTTP_Apache_SlashSlash 63HTTP_Apache_Trailing_Slash 30HTTP_Auth_ContainsBinary 8HTTP_Auth_TooLong 8HTTP_Authentication 9HTTP_Authentication_Format_String 9

HTTP_AuthResponse_Possible_CSRF 25HTTP_Bash_Shell_History 30HTTP_ColdFusion_Debu 30HTTP_Connect_Proxy_Bypass_SMTP 58HTTP_Content_Length_Invalid 58HTTP_CRLF_Injection_Response_Splitting 58HTTP_Cross_Site_Scripting 21HTTP_DotDot 63HTTP_DotDotDot 64HTTP_Field_With_Binary 59HTTP_Fields_With_Binary 59HTTP_FileTypeLnk 30HTTP_FileTypeUrl 30HTTP_Forced_Browsing_Probe 12HTTP_FrontPage_Authors 31HTTP_FrontPage_PWD 31HTTP_GET_ComputeSum 37HTTP_GET_CreateTable 37HTTP_GET_DotDot_Data 64HTTP_GET_Dotdotdot_Data 64HTTP_GET_GroupBy 38HTTP_GET_SQL_Convert_Int 38HTTP_GET_SQL_OpenRowSet 38HTTP_GET_SQL_Select_Count 39HTTP_GET_SQL_Select_Top_1 39HTTP_GET_SQL_UnionAllSelect 39HTTP_GET_SQL_UnionSelect 40HTTP_GET_SQL_WaitForDelay 40HTTP_GET_XP_Cmdshell 40HTTP_GETargscript 21HTTP_Html_In_Ref 22HTTP_HTML_Tag_Injection 22HTTP_Hydra_BruteForce 11, 12HTTP_IFRAME_Tag_Injection 22HTTP_IIS_Hit_Highlighting_Auth_Bypass 9HTTP_IIS_MSSQL_xml 41HTTP_IIS_MSSQL_XML_Script 41HTTP_IIS_Obtain_Code 31HTTP_IIS_Tilde_DoS 15HTTP_IIS_Track 31HTTP_IIS_Trailing_Incomplete_Unicode 31HTTP_JSP_SourceRead 32HTTP_LDAP_Mod_Rewrite_BO 16HTTP_Lighttpd_Header_Overflow 16HTTP_Login_Known_User 9HTTP_MCMS_CrossSiteScripting 22HTTP_Microsoft_Error_Report 32HTTP_MSIS_Script 22HTTP_Netscape_List_Directories 32HTTP_Netscape_Revlog 16HTTP_Netware_DirList 32HTTP_Nfuse_Script 23HTTP_Oracle2_BO 16HTTP_Orion_JSP_SourceRead 32HTTP_Passwd_Txt 33HTTP_Perl_Example_Code 64HTTP_PHP_Addslashes_ViewFiles 33HTTP_PHP_CRLF_Injection 54HTTP_PHP_Includedir 54HTTP_PHP_Script_Injection 54HTTP_PHP_Transfer_XSS 55HTTP_PHPNuke_Admin_Overwrite 33HTTP_PHPNuke_Index_File 17HTTP_PHPNuke_ModulesPhp_DOS 17HTTP_PHPNuke_Prefix_Admin 17HTTP_POST_ComputeSum 41HTTP_POST_CreateTable 42


HTTP_POST_dotdot_data 64HTTP_POST_dotdotdot_data 65HTTP_POST_Filename_passwd 33HTTP_POST_Filename_sam 33HTTP_POST_GroupBy 42HTTP_POST_JBoss_Traversal 65HTTP_POST_repeated_char 17HTTP_POST_Script 23HTTP_POST_SQL_Convert_Int 42HTTP_POST_SQL_OpenRowSet 43HTTP_POST_SQL_Select_Count 43HTTP_POST_SQL_Select_Top_1 43HTTP_POST_SQL_UnionAllSelect 44HTTP_POST_SQL_UnionSelect 44HTTP_POST_SQL_WaitForDelay 44HTTP_POST_XP_Cmdshell 45HTTP_Proxy_Cache_Poisoning 60HTTP_PsaPhp_RevealSource 34HTTP_RPC_Connect 60HTTP_Server_ID 34HTTP_Server_Side_Include_Injection 55HTTP_Share_Point_XSS 23HTTP_Shells_C 45HTTP_Shells_Ksh 45HTTP_Shells_Perl 46HTTP_Shells_Perl_Exe 46HTTP_Shells_Rksh 46HTTP_Shells_Sh 47HTTP_Shells_Tcsh 47HTTP_Sunone_Viewlog 65HTTP_Tomcat_Nulllist 28HTTP_Tomcat_URI_Overflow 17HTTP_Tunnel_Not_TLS_or_SSL 34HTTP_Unix_Passwords 34HTTP_Unknown_Protocol 60HTTP_URL_BackslashDotDot 65HTTP_URL_dotpath 65HTTP_URL_repeated_char 18HTTP_URL_Repeated_Dot 66HTTP_URLscan 60HTTP_WebDAV_Long_Rqst_DOS 18HTTP_WebDAV_XML_Attribute_DoS 18HTTPS_Apache_ClearText_DoS 61HTTPS_ClearText_Session 9HTTPS_Proxy_Info_Disclosure 34

IIBM Tivoli LCF httpd can be used to

remotely access files as root 35IBM X-Force: Microsoft ISA Server HTTP

header cache poisoning 60Information Disclosure 29

HTTP_Apache_ServerInfo 29HTTP_Apache_ServerStatus 29HTTP_Apache_Trailing_Slash 30HTTP_Bash_Shell_History 30HTTP_ColdFusion_Debu 30HTTP_FileTypeLnk 30HTTP_FileTypeUrl 30HTTP_FrontPage_Authors 31HTTP_FrontPage_PWD 31HTTP_IIS_Obtain_Code 31HTTP_IIS_Track 31HTTP_IIS_Trailing_Incomplete_Unicode 31HTTP_JSP_SourceRead 32HTTP_Microsoft_Error_Report 32

Information Disclosure (continued)HTTP_Netscape_List_Directories 32HTTP_Netware_DirList 32HTTP_Orion_JSP_SourceRead 32HTTP_Passwd_Txt 33HTTP_PHP_Addslashes_ViewFiles 33HTTP_PHPNuke_Admin_Overwrite 33HTTP_POST_Filename_passwd 33HTTP_POST_Filename_sam 33HTTP_PsaPhp_RevealSource 34HTTP_Server_ID 34HTTP_Tunnel_Not_TLS_or_SSL 34HTTP_Unix_Passwords 34HTTPS_Proxy_Info_Disclosure 34Tivoli_LCF_File_Read 35

Information Disclosure attack responsesconfiguring 35

Information Disclosure signatures 29Injection attack responses

configuring 50Injection attack signatures 36Injection Attacks 36

HTTP_GET_ComputeSum 37HTTP_GET_CreateTable 37HTTP_GET_GroupBy 38HTTP_GET_SQL_Convert_Int 38HTTP_GET_SQL_OpenRowSet 38HTTP_GET_SQL_Select_Count 39HTTP_GET_SQL_Select_Top_1 39HTTP_GET_SQL_UnionAllSelect 39HTTP_GET_SQL_UnionSelect 40HTTP_GET_SQL_WaitForDelay 40HTTP_GET_XP_Cmdshell 40HTTP_IIS_MSSQL_xml 41HTTP_IIS_MSSQL_XML_Script 41HTTP_POST_ComputeSum 41HTTP_POST_CreateTable 42HTTP_POST_GroupBy 42HTTP_POST_SQL_Convert_Int 42HTTP_POST_SQL_OpenRowSet 43HTTP_POST_SQL_Select_Count 43HTTP_POST_SQL_Select_Top_1 43HTTP_POST_SQL_UnionAllSelect 44HTTP_POST_SQL_UnionSelect 44HTTP_POST_SQL_WaitForDelay 44HTTP_POST_XP_Cmdshell 45HTTP_Shells_C 45HTTP_Shells_Ksh 45HTTP_Shells_Perl 46HTTP_Shells_Perl_Exe 46HTTP_Shells_Rksh 46HTTP_Shells_Sh 47HTTP_Shells_Tcsh 47LDAP_Injection 47Shell_Command_Injection 47SQL_Injection 48SQL_Jet_Query_Overflow 48XPATH_Injection 49

JJBoss Application Server

DeploymentFileRepository directorytraversal 65

JSON Hijacking 57JSON_Hijacking 61

LLDAP Injection 36LDAP_Injection 47lighttpd mod_fastcgi code execution 16

MMalicious File Execution 54

HTTP_PHP_CRLF_Injection 54HTTP_PHP_Includedir 54HTTP_PHP_Script_Injection 54HTTP_PHP_Transfer_XSS 55HTTP_Server_Side_Include_Injection 55

Malicious File Execution attack responsesconfiguring 55

Malicious File Execution signatures 54Microsoft Content Management Server

(MCMS) HTTP request cross-sitescripting 22

Microsoft FrontPage Extensionsadministrators.pwd file could revealencrypted passwords 31

Microsoft FrontPage Extensionsauthors.pwd file could reveal encryptedpasswords 31

Microsoft IIS .htw cross scripting 22Microsoft IIS allows remote attackers to

obtain source code fragments using+.htr 31

Microsoft IIS Cross-Site Scripting 21Microsoft IIS Hit-highlighting security

bypass 9Microsoft IIS malformed URL extension

data denial of service 66Microsoft IIS using double-byte code

pages could allow remote attackers toretrieve source code 31

Microsoft IIS WebDAV long invalidrequest denial of service 18

Microsoft Internet Explorer 3.0 allowsremote command execution 30

Microsoft Internet Explorer 5.5 index.datfile can be used to remotely executecode 21

Microsoft Internet Explorer HTTPS proxyauthentication informationdisclosure 34

Microsoft Internet Information Server(IIS) ActivePerl command execution 64

Microsoft Internet Information Server(IIS) fails to properly log HTTP TRACKrequests 31

Microsoft Internet Information ServerWebDAV multiple attributes per XMLelements cause denial of service 18

Microsoft Internet Information ServicesURL parser buffer overflow 15

Microsoft Jet Database Engine querycould execute code 48

Microsoft SharePoint Server default.aspxPATH_INFO cross-site scripting 23

Microsoft SQL Server SQLXML ISAPIbuffer overflow 41

Microsoft SQL Server SQLXML XML tagscript injection 41

Index 69

Microsoft Windows error reporttransmission detected 32

Miscellaneous attack responsesconfiguring 62

Miscellaneous attack signatures 57Miscellaneous Attacks 57, 59, 60

HTTP_Acunetix_WVS_Scan 57HTTP_Alternates_Corrupt 58HTTP_Connect_Proxy_Bypass_SMTP 58HTTP_Content_Length_Invalid 58HTTP_CRLF_Injection_Response_Splitting 58HTTP_Field_With_Binary 59HTTP_Unknown_Protocol 60HTTP_URLscan 60JSON_Hijacking 61

Multiple vendor JavaScript ObjectNotation information disclosure 61

Multiple vendor open-source PHPprojects could allow remote commandexecution 54

NNessus Hydra plugin brute force

detected 12Netscape Enterprise and Fasttrack

authentication buffer overflow 8Netscape Enterprise Server allows remote

directory listing 32Netscape Enterprise Server contains a

buffer overflow in its handling ofAccept headers 14

Netscape Enterprise Server REVLOGdenial of service 16

Novell NetWare GET allows directorylisting 32

OOracle Application Server emagent.exe

buffer overflow 16Orion Application Server JSP source code

disclosure 32OS Commanding 36

Ppam.http.binary.count 59pam.http.binary.fieldcount 59pam.http.binary.fieldlength 59pam.http.header.contspace.limit 15pam.http.lighttpd.hdr.limit 16pam.http.maxaccept 14pam.injection.argument.token.limit 50pam.injection.http.headers.enabled 49pam.injection.http.hostpath.enabled 49pam.injection.param.ignore 49pam.injection.shell.pedantic 52pam.injection.shellcommand.score 52pam.injection.sql.boolean.triggers 52pam.injection.sql.chaff.limit 51pam.injection.sql.pedantic 51pam.injection.sql.score 51pam.name.maxrepeatedchar 18

pam.parser.argument.injection.enabled 49Parameter Names to Ignore for Protection

List 24, 50, 55entries 24, 50, 55

passwd file accessed 33, 34Path Traversal 63, 64

HTTP_Apache_SlashSlash 63HTTP_DotDot 63HTTP_DotDotDot 64HTTP_GET_DotDot_Data 64HTTP_GET_Dotdotdot_Data 64HTTP_Perl_Example_Code 64HTTP_POST_dotdot_data 64HTTP_POST_dotdotdot_data 65HTTP_POST_JBoss_Traversal 65HTTP_Sunone_Viewlog 65HTTP_URL_BackslashDotDot 65HTTP_URL_dotpath 65HTTP_URL_Repeated_Dot 66

Path Traversal attack responsesconfiguring 66

Path Traversal signatures 63PHP addslashes view files 33PHP fopen() and file() CRLF injection 54PHP-Nuke $prefix variable could allow a

remote attacker to gain administrativeaccess 17

PHP-Nuke admin.php could allowremote attackers to upload andoverwrite files 33

PHP-Nuke index.php allows remoteattackers to execute arbitrarycommands from an included file 17

PHP-Nuke modules.php remote denial ofservice 17

Plesk Server Administrator (PSA) revealsPHP source code 34

preface ixprotection domain 5protection domains 3Protection Domains Shared Object

policy 2

RRPC request tunneled over HTTP has

been detected 60

SSecurity Events policy 2, 3Sensor Properties policy 3Shell command injection attempt

detected 47Shell interpreters can be used to execute

commands on Web servers 45, 46, 47Shell Pedantic 52Shell Score 52Shell_Command_Injection 47SQL Boolean Triggers 52SQL Chaff Limit 51SQL Injection 36SQL Injection affects multiple

database-backed applications 48

SQL Injection parameterspam.injection.argument.token.limit 50pam.injection.shell.pedantic 52pam.injection.shellcommand.score 52pam.injection.sql.boolean.triggers 52pam.injection.sql.chaff.limit 51pam.injection.sql.pedantic 51pam.injection.sql.score 51Shell Pedantic 52Shell Score 52SQL Boolean Triggers 52SQL Chaff Limit 51SQL Pedantic 51SQL Score 51SQL Token Limit 50

SQL injection SELECT countdetected 39, 43

SQL Pedantic 51SQL Score 51SQL Token Limit 50SQL_Injection 48SQL_Jet_Query_Overflow 48SSI Injection 36Sun ONE Directory Server ViewLog

function directory traversal 65

TTivoli_LCF_File_Read 35

UUnencrypted HTTP traffic over SSL has

been detected 9

VvirtualSensor attribute 3

WWeak Password Recovery Validation 8Web application forced browsing probe

detected 12Web Application Security

agent policies, affected 3enabling settings for 5firmware, affected 3Global Tuning Parameters Shared

Object policy 2policy permissions 5process overview 2protection domain 5Protection Domains Shared Object

policy 2Security Events policy 2supported agents 3

Web applicationsadding to protection domain 5

webapplicationsecurity 2, 3, 5WWWBoard’s administrator password

file is remotely accessible 33


XXPath Injection 36XPath injection attempt detected 49XPATH_Injection 49XSRF

See Cross-site Request ForgeryXSS

See cross-site scripting

Index 71



��

Printed in USA

Documents

Configuration Guide Version 1 - IBM · protection domain. Protection Domains Uses a single protection domain called webapplicationsecurity{unique_group_id}. The webapplicationsecurity{unique_group_id}protection