Question

Use the sample entry from an Apache web server log below to answer the following questions.

10.10.0.2 - - [1/Jan/2020:10:02:45 +0000] “GET /login.php?username=admin&password=password&submit=TRUE HTTP/1.1 302

i. Identify the key information in this message and briefly describe what this log entry is telling you?

ii. What security threat or vulnerability can you see from this log entry?  

iii. How might this cause harm?

iv. Suggest how the website developer or administrator might mitigate this threat or vulnerability?

Answer 1

Please find the answer for the given question.

Answer i:

Given log "10.10.0.2 - - [1/Jan/2020:10:02:45 +0000] “GET /login.php?username=admin&password=password&submit=TRUE HTTP/1.1 302" denotes

10.10.02 - It is the ip address of the client

Next two hypens meaning:

1st "-": Identify of the client machine is hidden here, hence '-' is used

2nd "-": User id of the client is hidden, since it is not authenticated.

[1/Jan/2020:10:02:45 +0000] - The time at which the client request is received

GET /login.php?username=admin&password=password&submit=TRUE HTTP/1.1 - It denotes the http request method the client used and the HTTP/1.1 is the http's version.

More info: Here its a GET request from the web page "login.pgp" with the parameters username and password and submit is set to TRUE.

302 - It is the status code which is sent back to client from the server. Here 302 refers tto found.

Answer II:

From the given log we can identify client machine's username and password, which pave a way for the attackers to intrude into their network/machine.

Answer III:

Since username and password are visible to the outside world it is vulnerable for the security by someone who knows its password/username can break into and cause issues.

Answer IV:

Developer can encrypt the username and password's and pass it with the http get request,with this approach we can protect the client machine's details to become vulnerable for such attacks.