Java Reference
In-Depth Information
A chronological order of events that might have possibly occurred as part of a sequence or a
business process is known as an audit trail . he term audit trail is usually used in the inancial
world to express a documented record of a sequence of events. However, this concept equally
applies to security as such events have a certain chronological order that is maintained, and the
logs from each system serve as the documentary records for the occurring of the event.
9.1.3 Need for Web Application Security Logging
Web applications, like any other system in the network, need to be capable of generating useful
security logs. Security logs are the prime source of investigations in case there is a breach or a sus-
pected compromise. Moreover, mission-critical Web applications need to generate security logs,
which are actively monitored to ensure that even the slightest security anomaly is identiied and
actively investigated. For instance, if an attacker is trying to bypass the authentication mechanism
of the application by brute-forcing the passwords, and if the Web application records such access
attempts, then the user's details may be ascertained by a team monitoring such security incidents.
Another instance would be if there was a great deal of traic being generated from one IP source
containing requests with JavaScript XSS vectors, then it is clear that the source of the vectors has
been attempting XSS attacks against the application.
Web application security logging operations have often been looked upon as overhead and
unnecessary because of their voluminous nature and performance overheads. Logs for a Web
application may run into several gigabytes of data in the matter of a few days. However, it must
be noted that efective Web application logging is the only solution to detecting any breaches or
potential breaches in the Web application.
While compromise is one of the motivating factors behind Web application logs, Web applica-
tion logs also help detect laws in the application's security functionality. For example, through
analysis of the Web application's request and response logs, the organization may be able to ind
laws in their input validation system. If the test requests contain XSS vectors and if the responses
are provided with a HTTP 200 OK, then it is possible that the application's input validation is
weak. Further investigation into the issue may be made to check for possible validation laws in the
application. Similarly, if an application is being tested for SQL Injection and the errors returned
are HTTP 500 Internal Server Errors, then it is likely that the crafted SQL queries are being
parsed and the validation might not be adequate.
Some argue that an organization does not need Web application logging if the organization
has deployed an intrusion detection system (IDS) or intrusion prevention system (IPS) on the
network, as it captures traic as well and raises an alarm based on any contraband network traic
detected, thereby serving the same purpose of a logging mechanism. However, the efectiveness of
this approach is highly debatable. First, network-based devices like IDS and IPS are traditionally
designed to work at the TCP/IP layer; however, HTTP traic is at a highest level in the protocol
stack. his may result in an inefective capture of intricate HTTP request and response details,
including information like HTTP methods, cookies, Javascript, XML, etc. Another major draw-
back of this approach is the fact that an IDS/IPS captures network traic as a dump and does not
ilter speciic details, which can be designed and conigured as part of a Web application logging
system. HTTP traic, when encrypted, is not decipherable at the network level, therefore making
the IPS/IDS an inefective substitute for application logging.
Search WWH ::




Custom Search