Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
26 lines (13 sloc) 1.5 KB

#Internet-Facing HTTP Request Analysis

Purpose: Identify common patterns of HTTP-based attacks

Data Required: Internet-facing HTTP server logs

Collection Considerations:

Analysis Techniques: Stack counting, Visualization, Outlier detection


Stack server logs by (Src IP, HTTP server, URI) tuples and look for repeated requests for the same resource. Large numbers of request could indicate:

  • Attempts to create a working exploit for a supposed vulnerability
  • Attempts to use a web shell embedded in the web content directory

Using a priori knowledge or by examining file extensions, Identify URI resources that are likely to contain calls to SQL (or similar) backend application layers. For each unique URI, gather all the the values for the HTTP response sizes. Using visualization or statistical outlier detection of the response sizes,

  • identify those which are significantly larger than the others. These may be indicators of successful SQL injection (e.g., database dumps or other unusual information being sent via the HTTP responses).

Other Notes

Using the response sizes, also identify those which are significantly smaller than the others. These may be indicators of injection errors that cause the app to exit prematurely and send less data than normal. Or maybe those which are bigger, indicating success! Regardless, repeated requests for the same resource probably would result in similar-sized responses, so significant variations would be interesting the look into.