IBM Proventia Web Application Security

oceanchemicalΑσφάλεια

14 Ιουν 2012 (πριν από 5 χρόνια και 5 μήνες)

3.861 εμφανίσεις

IBM Proventia Web Application Security
Configuration Guide
Version 1.0
￿￿￿
Copyright statement
© Copyright IBM Corporation 2009,2009.
U.S.Government Users Restricted Rights —Use,duplication or disclosure restricted by GSAADP Schedule Contract with
IBM Corp.
Publication Date:July 2009
Trademarks and disclaimer
IBM
®
and the IBM logo are trademarks or registered trademarks of International
Business Machines Corporation in the United States,other countries,or both.
ADDME

,Ahead of the threat,BlackICE

,Internet Scanner
®
,Proventia
®
,
RealSecure
®
,SecurePartner

,SecurityFusion

,SiteProtector

,System Scanner

,
Virtual Patch
®
,X-Force
®
and X-Press Update are trademarks or registered
trademarks of Internet Security Systems

,Inc.in the United States,other countries,
or both.Internet Security Systems,Inc.is a wholly-owned subsidiary of
International Business Machines Corporation.
Microsoft
®
,Windows
®
,and Windows NT
®
are trademarks of Microsoft Corporation
in the United States,other countries,or both.
Other company,product and service names may be trademarks or service marks of
others.
References in this publication to IBM products or services do not imply that IBM
intends to make them available in all countries in which IBM operates.
Disclaimer:The information contained in this document may change without
notice,and may have been altered or changed if you have received it from a
source other than IBM Internet Security Systems (IBM ISS).Use of this information
constitutes acceptance for use in an “AS IS” condition,without warranties of any
kind,and any use of this information is at the user’s own risk.IBM Internet
Security Systems disclaims all warranties,either expressed or implied,including
the warranties of merchantability and fitness for a particular purpose.In no event
shall IBM ISS be liable for any damages whatsoever,including direct,indirect,
incidental,consequential or special damages,arising from the use or dissemination
hereof,even if IBM Internet Security Systems has been advised of the possibility of
such damages.Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages,so the foregoing limitation may not apply.
Reference herein to any specific commercial products,process,or service by trade
name,trademark,manufacturer,or otherwise,does not necessarily constitute or
imply its endorsement,recommendation,or favoring by IBM Internet Security
Systems.The views and opinions of authors expressed herein do not necessarily
state or reflect those of IBM Internet Security Systems,and shall not be used for
advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release,
but the ever-changing nature of the Internet prevents IBM Internet Security
Systems,Inc.from guaranteeing the content or existence of the resource.When
possible,the reference contains alternate sites or keywords that could be used to
acquire the information by other methods.If you find a broken or inappropriate
link,please send an email message with the topic name,link,and its behavior to
mailto://support@iss.net.
© Copyright IBM Corp.2009,2009
iii
iv
Proventia Web Application Security:Configuration Guide
Contents
Trademarks and disclaimer......iii
Tables...............vii
About this publication........ix
Chapter 1.About Web application
security...............1
Process overview.............2
Supported agents and affected policies.....3
Adding Web applications to a protection domain..5
Chapter 2.Web application security
categories..............7
Authentication attacks...........8
Configuring responses to prevent Authentication
attacks...............10
Brute Force attacks............11
Configuring responses to prevent Brute Force
attacks...............13
Buffer Overflow attacks..........14
Configuring responses to prevent Buffer
Overflow attacks...........19
Client-side attacks............20
Configuring responses and client protection to
prevent Client-side attacks........24
Cross-site Request Forgery (CSRF) attacks....25
Configuring responses and tuning parameters to
prevent Cross-site Request Forgery attacks...26
Directory Indexing attacks.........27
Configuring responses to prevent Directory
Indexing attacks............28
Information Disclosure attacks........29
Configuring responses to prevent Information
Disclosure attacks...........35
Injection attacks.............36
Configuring responses and tuning parameters to
prevent Injection attacks.........50
Malicious File Execution attacks.......54
Configuring responses and tuning parameters to
prevent Malicious File Execution attacks....55
Miscellaneous attacks...........57
Configuring responses to prevent Miscellaneous
attacks...............62
Path Traversal attacks...........63
Configuring responses to prevent Path Traversal
attacks...............66
Index...............67
© Copyright IBM Corp.2009,2009
v
vi
Proventia Web Application Security:Configuration Guide
Tables
1.Proventia GX Network IPS policies affected by
settings enabled in the wizard.......4
2.Authentication attacks.........8
3.Authentication signatures........8
4.Brute Force attacks..........11
5.Brute Force signatures.........12
6.Buffer Overflow signatures.......14
7.Client-side Attacks..........20
8.Client-side Attack signatures.......20
9.Cross-site Request Forgery signatures....25
10.Directory Indexing signatures......28
11.Information Disclosure attacks......29
12.Information Disclosure signatures.....29
13.Injection attacks...........36
14.Injection Attack signatures.......37
15.Malicious File Execution signatures....54
16.Miscellaneous attacks.........57
17.Miscellaneous Attack signatures......57
18.Path Traversal signatures........63
© Copyright IBM Corp.2009,2009
vii
viii
Proventia Web Application Security:Configuration Guide
About this publication
This section describes the audience for this guide and provides additional reference
information.
Audience
Users of this guide should have a working knowledge of managing Web
applications and using the IBM SiteProtector System and Console.
More information on Web application protection
The following sites and publications provide more information on protecting Web
applications:
Web Application Security Consortium Classes of Attack
(http://www.webappsec.org/projects/threat/classes_of_attack.shtml)
OWASP Top Ten Project
(http://www.owasp.org/index.php/Top_10_2007)
IBMSecurity Solutions site
(http://www.ibm.com/services/us/index.wss/offerfamily/iss/a1029065)
IBMRational
®
AppScan
®
Services (PDF format)
(http://www.ibm.com/common/ssi/rep_ca/2/897/ENUS208-322/ENUS208-
322.PDF)
© Copyright IBM Corp.2009,2009
ix
x
Proventia Web Application Security:Configuration Guide
Chapter 1.About Web application security
This chapter explains how the Web Application Security wizard works and the
agents that it supports.
Topics
“Process overview” on page 2
“Supported agents and affected policies” on page 3
“Adding Web applications to a protection domain” on page 5
© Copyright IBM Corp.2009,2009
1
Process overview
The signatures and tuning parameters that you enable in the Web Application
Security wizard affect Proventia agents and agent policies already deployed in
SiteProtector.
Setting up the webapplicationsecurity protection domain
You use this wizard to set up a protection domain that includes the group of
network devices (Web applications) that you want to protect against Web
application security attacks.The network devices form a single protection domain
called webapplicationsecurity.
The webapplicationsecurity protection domain allows you to monitor groups of
network devices from different network segments using signatures and tuning
parameters that you enable in this wizard.You can set up as many
webapplicationsecurity protection domains as needed.
Using the wizard for Proventia GX Network IPS agents
Note:When you invoke the Web Application Security wizard on a SiteProtector
group,you will receive the following message:“No wizards for which you have
permissions are available.” This message means that you cannot use the wizard at
group level,not that you need to configure permissions in order to use the wizard.
The wizard follows this process when you enable Web Application Security
signatures and tuning parameters for a Proventia GX Network IPS agent in
SiteProtector:
1.The wizard attempts to locate an active,deployed Security Events policy version
for the selected agent.
2.After the wizard locates an active Security Events policy,the Policy Editor for
the Web Application Security wizard is displayed on the screen and you can
activate signatures and tuning parameters in the wizard for the selected agent.
3.The signatures and tuning parameters that you enable in the wizard affect the
following Proventia GX Network IPS policies:
Policy Outcome
Security Events policy Updated with settings enabled in the wizard
and deployed to the selected agent (even if
the policy was inherited previously from a
parent group).
Protection Domains Shared Object policy Saved as a new version in the Policy
Repository each time you use settings in the
wizard that update it.
Global Tuning Parameters Shared Object
policy
Saved as a new version in the Policy
Repository each time you use settings in the
wizard that update it.
Reference:See “Supported agents and affected policies” on page 3 for more
information about how the wizard interacts with Proventia GX Network IPS
agents and agent policies.
2
Proventia Web Application Security:Configuration Guide
Proventia GX Network IPS firmware versions 1.4 through 1.7 use different
schema versions of the Security Events policy and the Protection Domains
Shared Object policy than Proventia GX Network IPS firmware versions 2.0
through 3.0.
When you invoke the wizard for an agent,only the Security Events policy and
the Protection Domains Shared Objects policy relevant to that agent version are
affected by the settings you enable in the wizard.
4.The wizard saves the policy data as a hidden policy for the selected agent,and
then deploys this policy along with the modified version of the Security Events
policy.
The wizard also saves the settings from the last version of the policy data you
edited in the wizard Policy Editor.You can either view or use the settings that
you previously saved,the next time you open the wizard from SiteProtector.
Attention:If you disable (uncheck) a category that was previously saved in the
wizard,this change will uninstall or remove tuning parameters and Web
Application Security checks that you previously enabled in the wizard.
Note:This feature is not available for Locally Configured Agents in
SiteProtector 2.0,Service Pack 7.0.
Supported agents and affected policies
The Web Application Security wizard supports the following agent firmware
versions and will update or overwrite settings already configured in the agent
policies when you enable the protection settings in the wizard for that specific type
of agent.
Proventia GX Network IPS agents
The protection settings in the wizard affect the following firmware versions for
Proventia GX Network IPS agents:
v 3.0
v 2.3
v 2.2
v 2.1
v 2.0
v 1.7
v 1.6
v 1.5
v 1.4
Proventia GX Network IPS agent policies
The protection settings you enable in the wizard affect the following Proventia GX
Network IPS policies:
Chapter 1.About Web application security
3
Table 1.Proventia GX Network IPS policies affected by settings enabled in the wizard
Policy Interaction
Security Events Receives a securityEvent for each signature or tuning parameter
that is a member of an enabled protection category in the
wizard.
Sets the virtualSensor attribute
webapplicationsecurity{unique_group_id} for each security
event added by the wizard to indicate that the security event is
enabled in the webapplicationsecurity{unique_group_id}
protection domain.
If the Enable Client Protection option is enabled in the
Client-side attacks category,then any Web Application Security
signature tagged to protect clients is enabled in the global
protection domain.
If the Enable Client Protection option is disabled,but the
Client-side attacks category is enabled,then any Web
Application Security signature tagged to protect clients is
removed from the global protection domain.
If the Enable Client Protection option is enabled,but the
Client-side attacks category is disabled,then any Web
Application Security signature tagged to protect clients is
removed from the global protection domain.
If both the Enable Client Protection option and the Client-side
attacks category are disabled,then any Web Application Security
signature tagged to protect clients is not affected in the global
protection domain.
Protection Domains Uses a single protection domain called
webapplicationsecurity{unique_group_id}.
The webapplicationsecurity{unique_group_id} protection
domain contains the list of network devices that you set up in
the wizard.A protection domain is added each time you run the
wizard on an agent.
Global Tuning
Parameters
Updates global tuning parameters with the values of any
Advanced Options you have set in the wizard.
Runs any tuning parameters that you added after it has run
existing tuning parameters.
Sets the Description attribute for the parameter to Inserted by
Web Application Security to easily identify the parameters that
you added from the wizard to the Global Tuning Parameters
policy.
Sensor Properties Updates properties for the sensor.
4
Proventia Web Application Security:Configuration Guide
Adding Web applications to a protection domain
You need to set up a protection domain that includes the group of network devices
(Web applications) that you want to protect against Web application security
attacks.
Before you begin
You must have the following permissions before you can enable protection settings
in this wizard:
v Deploy Policy Permission for the agent you have selected,or permission for the
agent policy subscription group
v Network IPS (Proventia GX) Policy Modify Permission for the agent you have
selected,or permission for the agent policy subscription group
About this task
The network devices that you add to the protection list form a single protection
domain called webapplicationsecurity.
You use the webapplicationsecurity protection domain when you want to monitor
groups of network devices from different network segments using signatures and
tuning parameters that you enable in the wizard.You can set up as many
webapplicationsecurity protection domains as needed.
The settings enabled for the webapplicationsecurity protection domain instruct
the Proventia GX Network IPS appliance on what properties signal a security event
and how to respond if the event occurs against the devices in the domain.
Procedure
1.Click Protection Setup → Web Applications to Protect in the navigation pane.
2.Click Add.
3.Type the network address for a Web application using any of the following
options:
v Single IP address
v Range of IP addresses
Example:128.8.27.18–128.8.27.25
v CIDR-compliant address
Example:128.8.27.18/16,where suffix/16 indicates the number of bits in the
prefix 128.8.27.18
4.Click OK to save your settings.
5.Repeat Step 2 through Step 4 to add more applications to the list.
The network devices you add to this list form a single protection domain called
webapplicationsecurity.This configuration is written to the Protection
Domains Shared Object policy for the Proventia GX Network IPS agent.
Chapter 1.About Web application security
5
6
Proventia Web Application Security:Configuration Guide
Chapter 2.Web application security categories
This chapter explains how to enable protection signatures and configure tuning
parameters that protect your Web applications from well-known Web application
security attacks.
Before you begin:You must have the following permissions before you can enable
protection settings in the wizard:
v Deploy Policy Permission for the agent you have selected,or permission for the
agent policy subscription group
v Network IPS (Proventia GX) Policy Modify Permission for the agent you have
selected,or permission for the agent policy subscription group
Topics
“Authentication attacks” on page 8
“Brute Force attacks” on page 11
“Buffer Overflow attacks” on page 14
“Client-side attacks” on page 20
“Cross-site Request Forgery (CSRF) attacks” on page 25
“Directory Indexing attacks” on page 27
“Information Disclosure attacks” on page 29
“Injection attacks” on page 36
“Malicious File Execution attacks” on page 54
“Miscellaneous attacks” on page 57
“Path Traversal attacks” on page 63
© Copyright IBM Corp.2009,2009
7
Authentication attacks
This type of attack targets and attempts to exploit the authentication process a Web
site uses to verify the identity of a user,service,or application.
Types of Authentication attacks
The following types of attacks are considered Authentication attacks:
Table 2.Authentication attacks
Attack types Attack description
Brute Force Allows an attacker to guess a person’s user name,password,
credit card number,or cryptographic key by using an automated
process of trial and error.
Insufficient
Authentication
Allows an attacker to access a Web site containing sensitive
content or functions without having to properly authenticate with
the Web site.
Weak Password
Recovery Validation
Allows an attacker to access a Web site that provides them with
the ability to illegally obtain,change,or recover another user’s
password.
Signatures triggered by this attack
The Web Application Security signatures triggered by Authentication attacks
include:
Table 3.Authentication signatures
Signature name and description
HTTP_Auth_ContainsBinary
Looks for an HTTP authentication that contains binary data.
More information:
IBM X-Force:Netscape Enterprise and Fasttrack authentication buffer overflow
(http://www.iss.net/security_center/static/20556.php)
HTTP_Auth_TooLong
Detects an HTTP authorization string that is longer than the system-configurable value for
maximum HTTP authorization length.
This signature replaces HTTP_NS_Admin_Overflow.
More information:
IBM X-Force:Netscape Enterprise and Fasttrack authentication buffer overflow
(http://www.iss.net/security_center/static/3586.php)
CVE-1999-0853 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0853)
8
Proventia Web Application Security:Configuration Guide
Table 3.Authentication signatures (continued)
Signature name and description
HTTP_Authentication
Detects HTTP Basic authentication to a Web server and logs the user names and
passwords.
Note:This security event is categorized as an audit event.It does not necessarily indicate
an attack or threat on your network.
More information:
IBM X-Force:HTTP authentication (http://www.iss.net/security_center/static/653.php)
HTTP_Authentication_Format_String
Detects HTTP Basic authentication format string attack in user names and passwords.
More information:
IBM X-Force:Apache auth_ldap module multiple format strings (http://www.iss.net/
security_center/static/24030.php)
CVE-2006-0150 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0150)
HTTP_IIS_Hit_Highlighting_Auth_Bypass
Looks for attempts to bypass security restrictions using a vulnerability in the Microsoft IIS
server hit-highlighting functions.
More information:
IBM X-Force:Microsoft IIS Hit-highlighting security bypass (http://www.iss.net/
security_center/static/34434.php)
CVE-2005-3357 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3357)
HTTP_Login_Known_User
Detects the login name and matches it with user-defined logins for well-known login
names.
More information:
IBM X-Force:HTTP known user login name (http://www.iss.net/security_center/static/
8090.php)
HTTPS_ClearText_Session
Detects a valid HTTP request and response on port 443 that is not encrypted.
More information:
IBM X-Force:Unencrypted HTTP traffic over SSL has been detected (http://www.iss.net/
security_center/static/22070.php)
Chapter 2.Web application security categories
9
Configuring responses to prevent Authentication attacks
Use this procedure to configure responses for signatures that are triggered by Web
Application Security after it has detected an Authentication attack on network
traffic.
Procedure
1.Click Protection Categories → Authentication in the navigation pane.
2.Set a response for the attack triggered by the Authentication protection
category:
If you want to...Then...
Display the security event on the
SiteProtector Console
Select the Display check box.
The security event is displayed in the
Analysis view on the SiteProtector Console
for the agent when it is detected by the Web
Application Security signatures.
Note:Look for security events tagged with
webapplicationsecurity.
Block the attack Important:IBM X-Force recommends that
you disable blocking for Authentication
attacks,because you could unintentionally
block legitimate connections.
Select the Block check box.
The attack is blocked by dropping all
packets on the connection that triggered the
security event.
Tip:You should run the Web Application Security wizard a couple of times
with only the Display response enabled so that you can determine which Web
applications pose the greatest security threat to your network.
10
Proventia Web Application Security:Configuration Guide
Brute Force attacks
This type of attack uses a repetitive method of trial and error in order to guess a
person’s user name,password,credit card number,or cryptographic key.
About this attack
An attacker could launch a brute force attack by trying to guess the user ID and
password for a valid user account on the Web application.If the brute force
attempt is successful,the attacker might be able to access:
v Confidential information,such as profile data for users or confidential
documents stored on the Web application
v Administration tools used by the System Administrator for the Web application
to manage (modify,delete,add) Web application content,manage user
provisioning,or to assign different privileges to users
v Sections of the Web application that might expose vulnerabilities or advanced
functions not available to non-Administrator users
Types of brute force attacks
An attacker might try the following attack methods to find out valid authentication
credentials for a Web application:
Table 4.Brute Force attacks
Attack type Attack description
Dictionary attacks Automated tools that try to guess user names and passwords from
a dictionary file.
A dictionary file might contain words gathered by the attacker to
understand the user of the account about to be attacked,or to build
a list of all the unique words available on the Web site.
Search attacks Covers all possible combinations of a character set and ranges of
password length.
This attack might take some time because of the large amount of
possible combinations.
Rule-based search
attacks
Uses rules to generate possible password variations from part of a
user name or from modifying pre-configured mask words in the
input.
Chapter 2.Web application security categories
11
Signatures triggered by this attack
The Web Application Security signatures triggered by Brute Force attacks include:
Table 5.Brute Force signatures
Signature name and description
HTTP_Forced_Browsing_Probe
Detects repeated attempts to access non-existent resources on a Web server.
This could indicate an attack attempt related to the general problem of Forced Browsing,
where an attacker uses brute force methods to search for unlinked contents in the domain
directory,such as temporary directories and files,and old backup and configuration files.
These files and directories could contain sensitive information about Web applications and
operational systems,such as source code,authentication credentials,internal network
addressing,or any other type of valuable information that could allow an attack of the
system.
More information:
IBM X-Force:Web application forced browsing probe detectedhttp://www.iss.net/
security_center/static/48208.php
CWE-425 http://cwe.mitre.org/data/definitions/425.html
HTTP_Hydra_BruteForce
Detects Nessus Hydra plug-in using brute force techniques.
More information:
IBM X-Force:Nessus Hydra plugin brute force detected (http://www.iss.net/
security_center/static/22769.php)
12
Proventia Web Application Security:Configuration Guide
Configuring responses to prevent Brute Force attacks
Use this procedure to configure responses for signatures that are triggered by Web
Application Security after it has detected a Brute Force attack on network traffic.
Procedure
1.Click Protection Categories → Brute Force in the navigation pane.
2.Set a response for the attack triggered by the Brute Force protection category:
If you want to...Then...
Display the security event on the
SiteProtector Console
Select the Display check box.
The security event is displayed in the
Analysis view on the SiteProtector Console
for the agent when it is detected by the Web
Application Security signatures.
Note:Look for security events tagged with
webapplicationsecurity.
Block the attack Select the Block check box.
The attack is blocked by dropping all
packets on the connection that triggered the
security event.
Tip:Before you start blocking traffic,you should run the Web Application
Security wizard a couple of times with only the Display response enabled so
that you can determine which Web applications pose the greatest security
threat to your network.
Chapter 2.Web application security categories
13
Buffer Overflow attacks
This type of attack overflows a buffer with excessive data,which allows an
attacker to run remote shell on the computer and gain the same system privileges
granted to the application being attacked.
About this attack
An attacker can use buffer overflow attacks to corrupt the execution stack of a Web
application.The attacker sends carefully crafted input to a Web application in
order to force the Web application to execute arbitrary code that allows the
attacker to take over the system being attacked.
Web servers or Web applications that manage the static and dynamic aspects of a
site,or use graphic libraries to generate images,are vulnerable to buffer overflow
attacks.Buffer overflow attacks cause system crashes,might place a system in an
infinite loop,or execute code on the system in order to bypass a security service.
Signatures triggered by this attack
The Web Application Security signatures triggered by Buffer Overflow attacks
include:
Table 6.Buffer Overflow signatures
Signature name and description
HTTP_Accept_Language_Overflow
Detects an overflow in the HTTP ACCEPT field.
pam.http.maxaccept:Maximum length of an HTTP accept field.
Type= number
Default value= 1600
Minimum value= 1
Maximum value= 4294967295
More information:
IBM X-Force:Netscape Enterprise Server contains a buffer overflow in its handling of
Accept headers (http://xforce.iss.net/xforce/xfdb/3256)
CVE-1999-0751 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0751)
HTTP_Apache_DOS
Detects an HTTP URL request containing a large number of slashes/,which might indicate
an attempt by an attacker to increase the load average on an Apache httpd server.
More information:
IBM X-Force:Apache HTTP server beck exploit (http://www.iss.net/security_center/
static/697.php)
CVE-1999-0107 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0107)
14
Proventia Web Application Security:Configuration Guide
Table 6.Buffer Overflow signatures (continued)
Signature name and description
HTTP_Apache_Header_Memory_DoS
Detects an attempt to DoS a vulnerable apache HTTP server using a request with carefully
crafted HTTP headers.
pam.http.header.contspace.limit:Maximum space beginning HTTP header continuation.
Type= number
Default value= 100
Minimum value= 0
Maximum value= 4294967295
More information:
IBM X-Force:Apache HTTP Server HTTP GET request denial of service
(http://www.iss.net/security_center/static/17930.php)
CVE-2004-0942 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0942)
HTTP_Apache_JK2_Host_Overflow
Detects an attack against Apache Web servers that support Jakarta Tomcat Connectors
(mod_jk2).
More information:
IBM X-Force:Apache mod_jk2 HTTP Host header buffer overflow (http://www.iss.net/
security_center/static/40614.php)
CVE-2007-6258 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6258)
HTTP_Apache_LF_Memory_DoS
Detects an attempt to DoS a vulnerable apache HTTP server using a request containing
numerous line feed characters.
More information:
IBM X-Force:Apache HTTP Server LF (Line Feed) denial of service (http://www.iss.net/
security_center/static/11695.php)
CVE-2003-0132 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0132)
HTTP_IIS_Tilde_DoS
Detects HTTP URLs that contain a ~ (tilde) followed by a digit.
Known false positives:Any request to a vulnerable server for a URL that contains ~#,
where#is any digit,will cause this signature to trigger.Servers are assumed vulnerable
until there is evidence that they are not vulnerable.
Known false negatives:IBM X-Force believes it to be highly unlikely,although remotely
possible,that this vulnerability can be entirely exploited from the Internet.In such a case,
accurate detection and association of the setup before seeing the pattern associated with
this event is not possible.
More information:
IBM X-Force:Microsoft Internet Information Services URL parser buffer overflow
(http://www.iss.net/security_center/static/35197.php)
CVE-2005-4360 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4360)
Chapter 2.Web application security categories
15
Table 6.Buffer Overflow signatures (continued)
Signature name and description
HTTP_LDAP_Mod_Rewrite_BO
Checks for an off-by-one buffer overflow in the LDAP scheme handling function.
More information:
IBM X-Force:Apache mod_rewrite off-by-one buffer overflow (http://www.iss.net/
security_center/static/28063.php)
CVE-2006-3747 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3747)
HTTP_Lighttpd_Header_Overflow
Detects HTTP requests that contain long header data that might allow a remote attacker to
execute arbitrary code on the victim’s system by overflowing a buffer in the mod_fastcgi
extension of the Lighttpd server.
pam.http.lighttpd.hdr.limit:Sets the maximum HTTP header size before the
HTTP_Lighttpd_Header_Overflow signature is reported.
Type= number
Default value= 0x0000f000
Minimum value= 0x200
Maximum value= 0x7fffffff
More information:
IBM X-Force:lighttpd mod_fastcgi code execution (http://www.iss.net/security_center/
static/36526.php)
CVE-2007-4727 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4727)
HTTP_Netscape_Revlog
Detects an HTTP REVLOG request,which might indicate an attacker’s attempt to crash or
otherwise disrupt the service of a Netscape Enterprise Web server.
More information:
IBM X-Force:Netscape Enterprise Server REVLOG denial of service (http://www.iss.net/
security_center/static/6003.php)
CVE-2001-0251 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0251)
HTTP_Oracle2_BO
Detects attempts to overflow a buffer within Oracle Application Server by sending large
URL parameters in GET requests to default AS ports.
More information:
IBM X-Force:Oracle Application Server emagent.exe buffer overflow (http://www.iss.net/
security_center/static/22819.php)
16
Proventia Web Application Security:Configuration Guide
Table 6.Buffer Overflow signatures (continued)
Signature name and description
HTTP_PHPNuke_ModulesPhp_DOS
Detects an HTTP URL that contains the string */modules.php and that also has a query
string that begins with op=modload&name=../&file=modules.
More information:
IBM X-Force:PHP-Nuke modules.php remote denial of service (http://www.iss.net/
security_center/static/6946.php)
HTTP_PHPNuke_Prefix_Admin
Detects an HTTP URL that contains the string */*.php and that also has a query string that
begins with prefix=*.
More information:
IBM X-Force:PHP-Nuke $prefix variable could allow a remote attacker to gain
administrative access (http://www.iss.net/security_center/static/6945.php)
CVE-2001-1025 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1025)
HTTP_PHPNuke_Index_File
Detects an HTTP URL that contains the string */*.php and that also has an argument that
begins with file=http:.
More information:
IBM X-Force:PHP-Nuke index.php allows remote attackers to execute arbitrary commands
from an included file (http://www.iss.net/security_center/static/7914.php)
CVE-2002-0206 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0206)
HTTP_POST_repeated_char
Detects HTTP POST data that contains a repeated character.This might indicate an
attacker’s attempt to overflow a buffer and execute arbitrary code.
More information:
IBM X-Force:HTTP POST contains repeated characters (http://www.iss.net/
security_center/static/8538.php)
HTTP_Tomcat_URI_Overflow
Detects a URI of at least 4096 characters in an HTTP request that might be going to a
Tomcat server.
More information:
IBM X-Force:Apache Tomcat JK Web Server Connector map_uri_to_worker() buffer
overflow (http://www.iss.net/security_center/static/32794.php)
CVE-2007-0774 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774)
Chapter 2.Web application security categories
17
Table 6.Buffer Overflow signatures (continued)
Signature name and description
HTTP_URL_repeated_char
Detects URLs that have a large number of consecutive,identical characters.Such sequences
can indicate an attacker’s attempt to overflow a buffer.
pam.name.maxrepeatedchar:Maximum repeated character for a number of events.
Type= number
Default value= 100
Minimum value= 2
Maximum value= 2147483647
More information:
IBM X-Force:HTTP URL contains repeated characters (http://www.iss.net/
security_center/static/8537.php)
HTTP_WebDAV_Long_Rqst_DOS
Detects a specific HTTP URL.
This signature looks for an HTTP WebDAV method PROPFIND or SEARCH with a
content-type of ’text/xml’ and a content-length of greater than 48000 bytes.
This signature replaces HTTP_WebDAV_Overflow.
More information:
IBM X-Force:Microsoft IIS WebDAV long invalid request denial of service
(http://www.iss.net/security_center/static/6982.php)
CVE-2001-0508 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0508)
HTTP_WebDAV_XML_Attribute_DoS
Detects a WebDav command with an unusually large number of XML attributes.This
might indicate an attempt to cause a denial of service on some IIS Web servers.
More information:
IBM X-Force:Microsoft Internet Information Server WebDAV multiple attributes per XML
elements cause denial of service (http://www.iss.net/security_center/static/17645.php)
CVE-2003-0718 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0718)
18
Proventia Web Application Security:Configuration Guide
Configuring responses to prevent Buffer Overflow attacks
Use this procedure to configure responses for signatures that are triggered by Web
Application Security after it has detected a Buffer Overflow attack on network
traffic.
Procedure
1.Click Protection Categories → Buffer Overflow in the navigation pane.
2.Set a response for the attack triggered by the Buffer Overflow protection
category:
If you want to...Then...
Display the security event on the
SiteProtector Console
Select the Display check box.
The security event is displayed in the
Analysis view on the SiteProtector Console
for the agent when it is detected by the Web
Application Security signatures.
Note:Look for security events tagged with
webapplicationsecurity.
Block the attack Select the Block check box.
The attack is blocked by dropping all
packets on the connection that triggered the
security event.
Tip:Before you start blocking traffic,you should run the Web Application
Security wizard a couple of times with only the Display response enabled so
that you can determine which Web applications pose the greatest security
threat to your network.
Chapter 2.Web application security categories
19
Client-side attacks
This type of attack exploits the trust relationship between a user and the Web sites
they visit.
Types of Client-side attacks
The following types of attacks are considered Client-side attacks:
Table 7.Client-side Attacks
Attack type Attack description
Content Spoofing Tricks a user into believing that certain content appearing on a Web
site is legitimate and not from an external source.
Cross-Site Scripting
(XSS)
Allows an attacker to execute scripts in the victim’s Web browser,
which can be used to intercept user sessions,deface Web sites,
insert hostile content,conduct phishing attacks,and take over the
user’s browser using scripting malware.
All Web application frameworks are vulnerable to this exploit.The
exploit typically uses HTML or JavaScript

,but any scripting
language,including VBScript,ActiveX,Java

,or Flash,supported
by the victim’s browser is a potential target for this attack.
The types of Cross-site Scripting attacks include:
v Non-persistent:Requires a user to visit a specially-crafted link
containing malicious code.When the user accesses the link,the
code embedded in the URL is executed within the user’s Web
browser.
v Persistent:Inflicts malicious code on a Web site where it’s stored
for a period of time.Typical targets of persistent cross-site
scripting for an attacker include message board posts,Web mail
messages,and Web chat software.
Signatures triggered by this attack
The Web Application Security signatures triggered by Client-side attacks include:
Table 8.Client-side Attack signatures
Signature name and description
Cross_Site_Scripting
Detects well known forms of the <SCRIPT> tag in URL or CGI data.
This signature replaces HTTP_GETargscript,HTTP_POST_Script,and
HTTP_Cross_Site_Scripting events.
More information:
IBM X-Force:HTTP cross-site scripting attempt detected (http://www.iss.net/
security_center/static/6784.php)
20
Proventia Web Application Security:Configuration Guide
Table 8.Client-side Attack signatures (continued)
Signature name and description
HTTP_Apache_Expect_XSS
Detects a specially-crafted Expect header that might be used to embed a malicious script
and be executed in the victim’s Web browser.
More information:
IBM X-Force:Apache and IBM HTTP Server Expect header cross-site scripting
(http://www.iss.net/security_center/static/28620.php)
CVE-2006-3918 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918)
HTTP_Apache_OnError_XSS
Detects cross-site scripting attempts to older versions of Apache Web servers.In such cases,
the Apache ONERROR/404 redirect must be enabled and specially configured for the
cross-site scripting attempt to work.
More information:
IBM X-Force:Apache HTTP Server Host:header cross-site scripting (http://www.iss.net/
security_center/static/10241.php)
HTTP_Cross_Site_Scripting
Detects HTTP URLs that contain the strings <script> or </script>.
More information:
IBM X-Force:Microsoft IIS Cross-Site Scripting (http://www.iss.net/security_center/static/
5156.php)
CVE-2000-1104 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1104)
CVE-2005-2379 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2379)
CVE-2006-0032 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0032)
HTTP_GETargscript
Detects an HTTP GET request that contains JavaScript code.Because of the unusual nature
of this exploit,this signature cannot report the true intruder.
During this exploit,the victim communicates with an HTTP server that the intruder has
chosen.However,this HTTP server is a ″means to an end″ and plays no role in the actual
attack.
The damage is done when Internet Explorer saves the JavaScript in its cache (index.dat)
while processing the request.The real intruder is likely indicated by other events reported
corresponding with this one.
More information:
IBM X-Force:Microsoft Internet Explorer 5.5 index.dat file can be used to remotely execute
code (http://www.iss.net/security_center/static/5566.php)
CVE-2007-1499 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1499)
Chapter 2.Web application security categories
21
Table 8.Client-side Attack signatures (continued)
Signature name and description
HTTP_Html_In_Ref
Detects an HTTP REFERER field that contains HTML tags,which might indicate a
cross-site scripting attack.
More information:
IBM X-Force:HTTP Referer Header tag detected (http://www.iss.net/security_center/
static/17810.php)
HTTP_HTML_Tag_Injection
Detects well known HTML tag injection attacks and probing activity.
This signature does not necessarily indicate an attack,however,many scripting attacks
have been used in conjunction with various HTML tags that this signature will trigger on,
such as TABLE,TD,or META.
More information:
IBM X-Force:HTTP HTML tag injection attempt detected (http://www.iss.net/
security_center/static/7291.php)
HTTP_IFRAME_Tag_Injection
Detects an HTML <IFRAME> tag injection attempt.
This signature does not necessarily indicate an attack,however,many successful scripting
and browser hijacking attacks have been used in conjunction with IFRAME tag injections.
More information:
IBM X-Force:HTTP IFRAME tag injection attempt detected (http://www.iss.net/
security_center/static/43713.php)
HTTP_MCMS_CrossSiteScripting
Detects a specially-crafted HTTP URL that can cause a client-side script to be injected into
the user’s browser.
More information:
IBM X-Force:Microsoft Content Management Server (MCMS) HTTP request cross-site
scripting (http://www.iss.net/security_center/static/32737.php)
CVE-2007-0939 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0939)
HTTP_MSIS_Script
Checks argument data for cross-site scripting in the Microsoft Indexing Services.
More information:
IBM X-Force:Microsoft IIS.htw cross scripting (http://www.iss.net/security_center/static/
5441.php)
CVE-2000-0942 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0942)
22
Proventia Web Application Security:Configuration Guide
Table 8.Client-side Attack signatures (continued)
Signature name and description
HTTP_Nfuse_Script
Checks for a specially-crafted URL containing launch.asp or launch.jsp.
More information:
IBM X-Force:Citrix NFuse launch.* cross-site scripting (http://www.iss.net/
security_center/static/8659.php)
CVE-2002-0504 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0504)
HTTP_POST_Script
Detects if an HTTP POST command contains a <script> tag.
More information:
IBM X-Force:HTTP POST contains malicious script (http://www.iss.net/security_center/
static/8539.php)
HTTP_Share_Point_XSS
Detects an URL ending in.aspx,followed by the string/″);}.
More information:
IBM X-Force:Microsoft SharePoint Server default.aspx PATH_INFO cross-site scripting
(http://www.iss.net/security_center/static/34343.php)
CVE-2007-2581 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2581)
Chapter 2.Web application security categories
23
Configuring responses and client protection to prevent
Client-side attacks
Use this procedure to configure responses for signatures that are triggered by Web
Application Security after it has detected a Client-side attack on network traffic.
Procedure
1.Click Protection Categories → Client-side Attacks in the navigation pane.
2.Set a response for the attack triggered by the Client-side Attacks protection
category:
If you want to...Then...
Display the security event on the
SiteProtector Console
Select the Display check box.
The security event is displayed in the
Analysis view on the SiteProtector Console
for the agent when it is detected by the Web
Application Security signatures.
Note:Look for security events tagged with
webapplicationsecurity.
Block the attack Select the Block check box.
The attack is blocked by dropping all
packets on the connection that triggered the
security event.
Tip:Before you start blocking traffic,you should run the Web Application
Security wizard a couple of times with only the Display response enabled so
that you can determine which Web applications pose the greatest security
threat to your network.
3.To add IP addresses,domains,or parameters that are always allowed and not
blocked by the Web Application Security signatures,click Add in the Parameter
Names to Ignore for Protection section.
4.Type an entry as in the following examples:128.8.27.18 or ibm.com or iss.net
or pam.example.parameter
Note:The engine appends a number at the end of an entry if it has been used
before as an entry in local tuning parameters or global tuning parameters.
Example:pam.injection.param.ignore.2110173[2]
5.Optional:Type a unique description for the entry.
6.Select Enable Client Protection to make sure that any Web Application Security
signature you have set up to protect clients is included in the global protection
domain for the Proventia GX Network IPS agent.
Note:The global protection domain includes all the security events that are
listed in the global security policy used by the Proventia GX Network IPS
agent.
24
Proventia Web Application Security:Configuration Guide
Cross-site Request Forgery (CSRF) attacks
This type of attack sends unauthorized commands from a user that a Web site
trusts.
About this attack
This attack contains a link or script in a page that accesses a Web site that the user
is known to have authenticated.
These types of attacks have the following common characteristics:
v Involves Web sites that rely on a user’s identity
v Exploits the trust of the Web site in that identity
v Tricks the user’s Web browser into sending HTTP requests to a target site
v Involves HTTP requests that have adverse affects
This attack is also known as a blind attack;the attacker cannot see what the target
Web site sends back to the victim in response to the forged requests,unless the
attacker is using cross-site scripting or other bugs at the target Web site.
Signatures triggered by this attack
The Web Application Security signatures triggered by Cross-site Request Forgery
attacks include:
Table 9.Cross-site Request Forgery signatures
Signature name and description
HTTP_AuthResponse_Possible_CSRF
Detects a Cross-site Request Forgery attempt.(Also known as CSRF or XSRF attempts)
This attack allows an attacker to send unauthorized commands to a Web server or Web
application from a user that the server or application trusts.This type of attack usually
requires the attacker to perform some type of social engineering in order to gain the trust
of the Web server or application.
More information:
IBM X-Force:HTTP Cross-Site Request Forgery attempt detectedhttp://www.iss.net/
security_center/static/48675.php
Chapter 2.Web application security categories
25
Configuring responses and tuning parameters to prevent
Cross-site Request Forgery attacks
Use this procedure to configure responses and tuning parameters for signatures
that are triggered by Web Application Security after it has detected a Cross-site
Request Forgery attack on network traffic.
Procedure
1.Click Protection Categories → Cross-site Request Forgery in the navigation
pane.
2.Set a response for the attack triggered by the Cross-site Request Forgery
protection category:
If you want to...Then...
Display the security event on the
SiteProtector Console
Select the Display check box.
The security event is displayed in the
Analysis view on the SiteProtector Console
for the agent when it is detected by the Web
Application Security signatures.
Note:Look for security events tagged with
webapplicationsecurity.
Block the attack Important:IBM X-Force recommends that
you disable blocking for CSRF attacks,
because you could unintentionally block
legitimate connections.
Select the Block check box.
The attack is blocked by dropping all
packets on the connection that triggered the
security event.
Tip:You should run the Web Application Security wizard a couple of times
with only the Display response enabled so that you can determine which Web
applications pose the greatest security threat to your network.
3.To add IP addresses,domains,or parameters that are always allowed and not
blocked by the Web Application Security signatures,click Add in the Parameter
Names to Ignore for Protection section.
4.Type an entry as in the following examples:128.8.27.18 or ibm.com or iss.net
or pam.example.parameter
Note:The engine appends a number at the end of an entry if it has been used
before as an entry in local tuning parameters or global tuning parameters.
Example:pam.injection.param.ignore.2110173[2]
5.Optional:Type a unique description for the entry.
26
Proventia Web Application Security:Configuration Guide
Directory Indexing attacks
This type of attack exploits a function of the Web server that lists all the files
within a requested directory if the normal base file is not present.
About this attack
When a user types in a request for a page on a Web site,the Web server processes
the request,searches the Web document root directory for the default file name,
and then sends this page to the user.If the server cannot find the page,it will
issue a directory listing and send the output in HTML format to the user.
This action allows the contents of unintended directory listings to be disclosed to
the user because of software vulnerabilities combined with a specific Web request.
This information leak can provide an attacker with the information necessary to
launch further attacks against the system.
The information leak might include some of these files or user information:
v Backup files that use file name extensions,such as BAK,OLD,or ORIG
v Temporary files that have been purged from the server,but might still be
available
v Hidden files with file names that start with a.(period)
v Naming conventions where the attacker can determine how the Web site names
directories or files
v Personal user accounts on a Web server where the user has named their home
directory with the same name as their user account
v Configuration file contents that might contain access control data and use file
name extensions,such as CONF,CFG,or CONFIG
v Directory indexing of the cgi-bin contents that might enable an attacker to
download or review script code if permissions are incorrect
In some cases,an attacker might be able to access an unintended directory listing
or index by exploiting one of these vulnerabilities:
v Web server configured incorrectly to allow or provide a directory index
v Web server allows a directory index even though it has been disabled in the
configuration file or if an index page is present
v Cache database used by Google might contain historical data including directory
indexes from past scans of a specific Web site
Signatures triggered by this attack
The Web Application Security signatures triggered by Directory Indexing attacks
include:
Chapter 2.Web application security categories
27
Table 10.Directory Indexing signatures
Signature name and description
HTTP_Apache_Macros_dir
Detects an HTTP GET request for the.dS_store or.FBCIndex files.
More information:
IBM X-Force:Apple Mac OS X used with Apache Web server could disclose directory
contents (http://www.iss.net/security_center/static/7103.php)
CVE-2001-1446 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1446)
HTTP_Tomcat_Nulllist
Checks for a specially-crafted URL designed to obtain a list of directories from an Apache
Tomcat servlet container.
More information:
IBM X-Force:Apache Tomcat URL appended with a null character could list directories
(http://www.iss.net/security_center/static/11194.php)
CVE-2003-0042 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0042)
Configuring responses to prevent Directory Indexing attacks
Use this procedure to configure responses for signatures that are triggered by Web
Application Security after it has detected a Directory Indexing attack on network
traffic.
Procedure
1.Click Protection Categories → Directory Indexing in the navigation pane.
2.Set a response for the attack triggered by the Directory Indexing protection
category:
If you want to...Then...
Display the security event on the
SiteProtector Console
Select the Display check box.
The security event is displayed in the
Analysis view on the SiteProtector Console
for the agent when it is detected by the Web
Application Security signatures.
Note:Look for security events tagged with
webapplicationsecurity.
Block the attack Select the Block check box.
The attack is blocked by dropping all
packets on the connection that triggered the
security event.
Tip:Before you start blocking traffic,you should run the Web Application
Security wizard a couple of times with only the Display response enabled so
that you can determine which Web applications pose the greatest security
threat to your network.
28
Proventia Web Application Security:Configuration Guide
Information Disclosure attacks
This type of attack is aimed at acquiring system specific information about a Web
site including software distribution,version numbers,and patch levels.The
acquired information might also contain the location of backup files or temporary
files.
About this attack
Most Web sites will disclose some amount of information.The more information
that an attacker learns about a Web site,the easier the system will be to
compromise.
Types of Information Disclosure attacks
The following types of attacks are considered Information Disclosure attacks:
Table 11.Information Disclosure attacks
Attack type Attack description
Directory Indexing Exploits a function in a Web server that lists all the files within a
requested directory if the normal base file is not present.
Reference:See “Directory Indexing attacks” on page 27 for more
information about this type of attack.
Information Leakage Exploits a Web site that reveals sensitive data,such as developer
comments or error messages.
Path Traversal Forces access to files,directories,and commands that are located
outside the Web document root directory.
Reference:See “Path Traversal attacks” on page 63 for more
information about this type of attack.
Predictable Resource
Location
Uncovers hidden Web site content and functions.
Signatures triggered by this attack
The Web Application Security signatures triggered by Information Disclosure
attacks include:
Table 12.Information Disclosure signatures
Signature name and description
HTTP_Apache_ServerInfo
Looks for an HTTP request with the Apache server-info handler specified.
More information:
IBM X-Force:Apache HTTP Server server-info request has been detected
(http://www.iss.net/security_center/static/16890.php)
HTTP_Apache_ServerStatus
Looks for an HTTP request with the Apache server-status handler specified.
More information:
IBM X-Force:Apache HTTP Server server-status request has been detected
(http://www.iss.net/security_center/static/16889.php)
Chapter 2.Web application security categories
29
Table 12.Information Disclosure signatures (continued)
Signature name and description
HTTP_Apache_Trailing_Slash
Detects attempts to view the source of PHP pages by exploiting a vulnerability that exists
when the PHP site is hosted on a Windows samba file share and the requested page name
is appended with a\to the.php file extension in the URL.
More information:
IBM X-Force:Apache HTTP Server Windows SMB shares information disclosure
(http://www.iss.net/security_center/static/39158.php)
CVE-2007-6514 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6514)
HTTP_Bash_Shell_History
Detects HTTP URLs that contain */.bash_history or */.history.
This signature replaces HTTP_ShellHistory.
More information:
IBM X-Force:Cobalt RaQ Web server could reveal user’s command history
(http://www.iss.net/security_center/static/1831.php)
CVE-1999-0408 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0408)
HTTP_ColdFusion_Debug
Detects an HTTP URL that contains the string *.cfm and that also has a parameter/value
pair of mode=debug in the query string.
More information:
IBM X-Force:ColdFusion Debugging mode could allow the path to ″.cfm″ files to be
revealed (http://www.iss.net/security_center/static/6792.php)
HTTP_FileTypeLnk
Detects an attempt to access a.lnk file (/*/*.lnk).Under some circumstances,an attacker
might use such a file to gain access to privileged information on the client system.
This signature replaces HTTP_IE3_URL.
More information:
IBM X-Force:Microsoft Internet Explorer 3.0 allows remote command execution
(http://www.iss.net/security_center/static/463.php)
HTTP_FileTypeUrl
Detects an attempt to access a.url file (/*/*.url).Under some circumstances,an attacker
might use such a file to gain access to privileged information on the client system.
This signature replaces HTTP_IE3_URL.
More information:
IBM X-Force:Microsoft Internet Explorer 3.0 allows remote command execution
(http://www.iss.net/security_center/static/463.php)
CVE-1999-0280 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0280)
30
Proventia Web Application Security:Configuration Guide
Table 12.Information Disclosure signatures (continued)
Signature name and description
HTTP_FrontPage_Authors
Detects a request for the author’s password.
More information:
IBM X-Force:Microsoft FrontPage Extensions authors.pwd file could reveal encrypted
passwords (http://www.iss.net/security_center/static/3393.php)
HTTP_FrontPage_PWD
Detects a request for the Administrator’s password.
More information:
IBM X-Force:Microsoft FrontPage Extensions administrators.pwd file could reveal
encrypted passwords (http://www.iss.net/security_center/static/3390.php)
HTTP_IIS_Obtain_Code
Detects HTTP GET requests that include the string +.htr,which might indicate an attempt
by an attacker to view the source of files on the Web server.
More information:
IBM X-Force:Microsoft IIS allows remote attackers to obtain source code fragments using
+.htr (http://www.iss.net/security_center/static/5104.php)
CVE-2000-0630 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0630)
HTTP_IIS_Track
Looks for an HTTP request that sets track.This leads to returning sensitive information
from the server.IIS does not properly log this request.
More information:
IBM X-Force:Microsoft Internet Information Server (IIS) fails to properly log HTTP TRACK
requests (http://www.iss.net/security_center/static/14077.php)
HTTP_IIS_Trailing_Incomplete_Unicode
Detects specially-crafted URLs that contain a trailing %81 through %fe.Such URLs might
indicate an attacker’s attempt to cause a server to return an original file,rather than
executing the file,which might reveal critical information about the server to the attacker.
Server source code often contains hidden passwords,hidden file names,or easy-to-discover
bugs.The attacker can then use this hidden information to break into the server.
More information:
IBM X-Force:Microsoft IIS using double-byte code pages could allow remote attackers to
retrieve source code (http://www.iss.net/security_center/static/2302.php)
CVE-1999-0725 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0725)
Chapter 2.Web application security categories
31
Table 12.Information Disclosure signatures (continued)
Signature name and description
HTTP_JSP_SourceRead
Detects a URL ending with the file name extension.jsp or.jhtml where any of the letters
in the extension are not lowercase.
More information:
IBM X-Force:BEA WebLogic allows users to read source of JSP files (http://www.iss.net/
security_center/static/4694.php)
CVE-2000-0499 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0499)
HTTP_Microsoft_Error_Report
Detects the reporting of a Windows application error such as a crashed or stopped process.
More information:
IBM X-Force:Microsoft Windows error report transmission detected (http://www.iss.net/
security_center/static/29253.php)
HTTP_Netscape_List_Directories
Detects the use of an HTTP INDEX request that Netscape Enterprise Web servers support.
An attacker can use this request to gain access to sensitive information.
Known false positives:A false positive is possible for legitimate HTTP INDEX requests.
Though there are legitimate reasons for HTTP INDEX requests,such a request can be used
by an attacker to gain access to sensitive information about Netscape Enterprise Web
servers.
More information:
IBM X-Force:Netscape Enterprise Server allows remote directory listing
(http://www.iss.net/security_center/static/5997.php)
CVE-2001-0250 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0250)
HTTP_Netware_DirList
Detects an HTTP command consisting of get (lowercase) and a URL of/.
More information:
IBM X-Force:Novell NetWare GET allows directory listing (http://www.iss.net/
security_center/static/6988.php)
CVE-2001-1232 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1232)
HTTP_Orion_JSP_SourceRead
Detects a URL ending with the file name extension.jsp (.jsp followed by a space).
More information:
IBM X-Force:Orion Application Server JSP source code disclosure (http://www.iss.net/
security_center/static/25405.php)
CVE-2006-0816 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0186)
32
Proventia Web Application Security:Configuration Guide
Table 12.Information Disclosure signatures (continued)
Signature name and description
HTTP_Passwd_Txt
Detects HTTP GET requests for the passwd.txt file.
More information:
IBM X-Force:WWWBoard’s administrator password file is remotely accessible
(http://www.iss.net/security_center/static/3383.php)
CVE-1999-0953 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0953)
HTTP_PHP_Addslashes_ViewFiles
Detects a specially-crafted URL that might be used to view arbitrary files on the system.
More information:
IBM X-Force:PHP addslashes view files (http://xforce.iss.net/xforce/xfdb/18516)
CVE-2004-1020 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1020)
HTTP_PHPNuke_Admin_Overwrite
Detects an HTTP URL that contains the string */admin.php,and also uses a query string
that starts with upload.
More information:
IBM X-Force:PHP-Nuke admin.php could allow remote attackers to upload and overwrite
files
CVE-2001-1032
HTTP_POST_Filename_passwd
Detects an HTTP POST command that references a file name that includes the string
*/passwd or the string */shadow.
More information:
IBM X-Force:passwd file accessed (http://www.iss.net/security_center/static/1069.php)
HTTP_POST_Filename_sam
Detects an HTTP POST command that references a file name that includes the string
*/sam._.
More information:
IBM X-Force:Access attempt made to Windows NT SAM (Security Accounts Manager) file
or its backup (http://www.iss.net/security_center/static/3708.php)
Chapter 2.Web application security categories
33
Table 12.Information Disclosure signatures (continued)
Signature name and description
HTTP_PsaPhp_RevealSource
Detects HTTP URLs that have a path that begins with/~ and that references a file name
that contains the string *.php.
Known false positives:HTTP requests for URLs detected by this signature are only a risk
if the Plesk Server Administrator (PSA) program for Unix and Linux
®
Web servers is
installed.
More information:
IBM X-Force:Plesk Server Administrator (PSA) reveals PHP source code
(http://www.iss.net/security_center/static/7735.php)
CVE-2001–1222 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1222)
HTTP_Server_ID
Detects server ID requests and lists any information disclosed as a result of this command.
Note:This security event is categorized as an audit event.It does not necessarily indicate
an attack or threat on your network.
More information:
IBM X-Force:HTTP server identity audit (http://www.iss.net/security_center/static/
8649.php)
HTTP_Tunnel_Not_TLS_or_SSL
Detects an HTTP CONNECT request where the tunnelled data does not immediately begin
with a SSL or TLS hello exchange.
While this signature does not indicate an attack on your network,it does indicate traffic
that might be considered suspicious in an environment where HTTP tunnelling is expected
only by HTTP proxies to secure Web sites.
Known false negatives:Unnaturally fragmented data streams might generate a false
negative indication of this condition.
More information:
IBM X-Force:HTTP unencrypted CONNECT security bypass (http://www.iss.net/
security_center/static/27958.php)
HTTP_Unix_Passwords
Detects an HTTP GET request for a passwd or shadow password file.
More information:
IBM X-Force:passwd file accessed (http://www.iss.net/security_center/static/1069.php)
HTTPS_Proxy_Info_Disclosure
Detects Basic Authentication over a proxy server for HTTPS communications that might
lead to possible information disclosure.
More information:
IBM X-Force:Microsoft Internet Explorer HTTPS proxy authentication information
disclosure (http://www.iss.net/security_center/static/23451.php)
34
Proventia Web Application Security:Configuration Guide
Table 12.Information Disclosure signatures (continued)
Signature name and description
Tivoli_LCF_File_Read
Detects an HTTP GET request to manipulate the Tivoli
®
LCF log file parameter,possibly to
read files with elevated privileges.
More information:
IBM X-Force:IBM Tivoli LCF httpd can be used to remotely access files as root
(http://www.iss.net/security_center/static/3927.php)
CVE-2000-1239 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1239)
Configuring responses to prevent Information Disclosure
attacks
Use this procedure to configure responses for signatures that are triggered by Web
Application Security after it has detected an Information Disclosure attack on
network traffic.
Procedure
1.Click Protection Categories → Information Disclosure in the navigation pane.
2.Set a response for the attack triggered by the Information Disclosure protection
category:
If you want to...Then...
Display the security event on the
SiteProtector Console
Select the Display check box.
The security event is displayed in the
Analysis view on the SiteProtector Console
for the agent when it is detected by the Web
Application Security signatures.
Note:Look for security events tagged with
webapplicationsecurity.
Block the attack Important:IBM X-Force recommends that
you disable blocking for Information
Disclosure attacks,because you could
unintentionally block legitimate connections.
Select the Block check box.
The attack is blocked by dropping all
packets on the connection that triggered the
security event.
Tip:You should run the Web Application Security wizard a couple of times
with only the Display response enabled so that you can determine which Web
applications pose the greatest security threat to your network.
Chapter 2.Web application security categories
35
Injection attacks
This type of attack allows an attacker to inject code into a program or query or
inject malware onto a computer in order to execute remote commands that can
read or modify a database,or change data on a Web site.
Types of Injection attacks
The following types of attacks are considered Injection attacks:
Table 13.Injection attacks
Attack type Attack description
Blind SQL
Injection
Allows an attacker to use an error page returned by the database
server to ask a series of True and False questions using SQL
statements in order to gain total control of the database or execute
commands on the system.
Blind XPath
Injection
Allows an attacker who does not know the structure of an XML
document to use methods that attempt to determine the structure of
the document.
Buffer Overflow Alters the flow of an application by overwriting parts of memory.
Format String
Attack
Alters the flow of an application by using string formatting library
features to access other memory space.
In this type of attack,data provided by users might be used as
formatting string input for certain C/C++ functions (for example:
fprintf,printf,sprintf,setproctitle,syslog).
LDAP Injection Exploits Web sites that construct LDAP (Lightweight Directory Access
Protocol) statements from data provided by users.
In this type of attack,an attacker might modify LDAP statements
using a local proxy in order to execute arbitrary commands (granting
permissions to unauthorized queries) or modify the content of the
LDAP tree.
OS Commanding Exploits Web sites by injecting an operating system command through
an HTTP request to the Web application.
In this type of attack,an attacker might upload malicious programs or
obtain passwords.
SQL Injection Takes advantage of the SQL syntax to inject commands that can read
or modify a database,or compromise the meaning of the original SQL
query.
In this type of attack,an attacker can spoof identity;expose,tamper,
destroy,or make existing data unavailable;become the Administrator
of the database server.
SSI Injection Allows an attacker to send code to a Web application,which will later
be executed locally by the Web server.
In this type of attack,an attacker exploits the failure of the Web
application to filter data provided by users before it inserts that data
into a server-side interpreted HTML file.
36
Proventia Web Application Security:Configuration Guide
Table 13.Injection attacks (continued)
Attack type Attack description
XPath Injection Exploits Web sites that allow an attacker to inject data into an
application in order to execute XPath queries.(XPath is a query
language that describes how to locate specific elements,such as
attributes or processing instructions in an XML document.)
In this type of attack,the attacker might be able to bypass
authentication or access information without needing proper
authorization.
Signatures triggered by this attack
The Web Application Security signatures triggered by Injection attacks include:
Table 14.Injection Attack signatures
Signature name and description
HTTP_GET_ComputeSum
Detects attempts to execute the database command COMPUTE SUM through an HTTP GET
request.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP GET contains compute%sum (http://www.iss.net/security_center/
static/9604.php)
HTTP_GET_CreateTable
Detects attempts to execute the database command CREATE TABLE through an HTTP GET
request.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP GET contains create%table (http://www.iss.net/security_center/static/
9600.php)
Chapter 2.Web application security categories
37
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_GET_GroupBy
Detects attempts to execute the database command GROUP BY through an HTTP GET
request.
Known false positives:A false positive for this signature is possible when a user sends a
request to an HTTP server that contains a string of group by or group+by.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP GET contains group%by (http://www.iss.net/security_center/static/
9602.php)
HTTP_GET_SQL_Convert_Int
Detects the SQL command of convert(int,...) through HTTP GET requests.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL Injection CONVERT statement usage (http://www.iss.net/
security_center/static/22250.php)
HTTP_GET_SQL_OpenRowSet
Checks HTTP GET requests for usage of the OPENROWSET SQL statement.
Note:This does not necessarily indicate there is an attack on the network,but it might be
an attempt at SQL injection.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL ″OPENROWSET″ statement usage (http://www.iss.net/
security_center/static/11566.php)
38
Proventia Web Application Security:Configuration Guide
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_GET_SQL_Select_Count
Detects the SQL command of select count(*) through HTTP GET requests.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:SQL injection SELECT count detected (http://www.iss.net/security_center/
static/26128.php)
HTTP_GET_SQL_Select_Top_1
Detects the SQL command of select top 1 through HTTP GET requests.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:SQL injection SELECT count detected (http://www.iss.net/security_center/
static/26128.php)
HTTP_GET_SQL_UnionAllSelect
Checks HTTP GET requests for usage of the UNION ALL SELECT SQL statement.
Note:This does not necessarily indicate there is an attack on the network,but it might be
an attempt at SQL injection.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL ″UNIONALLSELECT″ statement usage (http://www.iss.net/
security_center/static/11567.php)
Chapter 2.Web application security categories
39
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_GET_SQL_UnionSelect
Checks HTTP GET requests for usage of the UNION SELECT SQL statement.
Note:This does not necessarily indicate there is an attack on the network,but it might be
an attempt at SQL injection.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL ″UNIONSELECT″ statement usage (http://www.iss.net/
security_center/static/11568.php)
HTTP_GET_SQL_WaitForDelay
Checks HTTP GET requests for usage of the WAITFOR DELAY SQL statement.
Note:This does not necessarily indicate there is an attack on the network,but it might be
an attempt at SQL injection.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL ″WAITFORDELAY″ statement usage (http://www.iss.net/
security_center/static/11569.php)
HTTP_GET_XP_Cmdshell
Detects attempts to execute the sqlServer xp_cmdshell function through an HTTP GET
request.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP URL contains an SQL xp_cmdshell command shell request
(http://www.iss.net/security_center/static/8579.php)
40
Proventia Web Application Security:Configuration Guide
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_IIS_MSSQL_xml
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
Checks for an HTTP GET request matching either the pattern *.xml or an SQL injection
using FOR XML with the contenttype argument exceeding more than 239 characters.
More information:
IBM X-Force:Microsoft SQL Server SQLXML ISAPI buffer overflow (http://www.iss.net/
security_center/static/9328.php)
CVE-2002-0186 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0186)
HTTP_IIS_MSSQL_XML_Script
Checks for an HTTP GET matching the pattern *.xml with an argument containing script
injection.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:Microsoft SQL Server SQLXML XML tag script injection (http://www.iss.net/
security_center/static/9329.php)
CVE-2002-0187 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0187)
HTTP_POST_ComputeSum
Detects attempts to execute the database command COMPUTE SUM through an HTTP POST
request.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP POST contains compute%sum (http://www.iss.net/security_center/
static/9605.php)
Chapter 2.Web application security categories
41
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_POST_CreateTable
Detects attempts to execute the database command CREATE TABLE through an HTTP POST
request.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP POST contains create%table (http://www.iss.net/security_center/
static/9601.php)
HTTP_POST_GroupBy
Detects attempts to execute the database command GROUP BY through an HTTP POST
request.
Known false positives:A false positive for this signature is possible when a user sends a
request to an HTTP server that contains a string of group by or group+by.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP POST contains group%by (http://www.iss.net/security_center/static/
9603.php)
HTTP_POST_SQL_Convert_Int
Detects the SQL command of convert(int,...) through HTTP POST requests.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL Injection CONVERT statement usage (http://www.iss.net/
security_center/static/22250.php)
42
Proventia Web Application Security:Configuration Guide
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_POST_SQL_OpenRowSet
Checks HTTP POST requests for usage of the OPENROWSET SQL statement.
Note:This does not necessarily indicate there is an attack on the network,but it might be
an attempt at SQL injection.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL ″OPENROWSET″ statement usage (http://www.iss.net/
security_center/static/11566.php)
HTTP_POST_SQL_Select_Count
Detects the SQL command of select count(*) through HTTP POST requests
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:SQL injection SELECT count detected (http://www.iss.net/security_center/
static/26128.php)
HTTP_POST_SQL_Select_Top_1
Detects the SQL command of select top 1 through HTTP POST requests.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL injection SELECT statement usage (http://www.iss.net/
security_center/static/22248.php)
Chapter 2.Web application security categories
43
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_POST_SQL_WaitForDelay
Checks HTTP POST requests for usage of the WAITFOR DELAY SQL statement.
Note:This does not necessarily indicate there is an attack on the network,but it might be
an attempt at SQL injection.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL ″WAITFORDELAY″ statement usage (http://www.iss.net/
security_center/static/22248.php)
HTTP_POST_SQL_UnionAllSelect
Checks HTTP POST requests for usage of the UNION ALL SELECT SQL statement.
Note:This does not necessarily indicate there is an attack on the network,but it might be
an attempt at SQL injection.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL ″UNIONALLSELECT″ statement usage (http://www.iss.net/
security_center/static/11567.php)
HTTP_POST_SQL_UnionSelect
Checks HTTP POST requests for usage of the UNION SELECT SQL statement.
Note:This does not necessarily indicate there is an attack on the network,but it might be
an attempt at SQL injection.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP SQL ″UNIONSELECT″ statement usage (http://www.iss.net/
security_center/static/11568.php)
44
Proventia Web Application Security:Configuration Guide
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_POST_XP_Cmdshell
Detects attempts to execute the sqlServer xp_cmdshell function through an HTTP POST
request.
Reference:See the XPath Injection signature for descriptions and values of these tuning
parameters:pam.injection.http.headers.enabled
pam.injection.http.hostpath.enabled
pam.parser.argument.injection.enabled
pam.injection.param.ignore
More information:
IBM X-Force:HTTP POST command contains SQL command shell request
(http://www.iss.net/security_center/static/8647.php)
HTTP_Shells_C
Detects attempts to cause the C shell to execute commands.
This signature detects any calls to the C shell at any location (not only the cgi-bin
directory) within or outside the Web server.
This signature replaces HTTP_Shells.
More information:
IBM X-Force:Shell interpreters can be used to execute commands on Web servers
(http://www.iss.net/security_center/static/146.php)
CVE-1999-0509 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0509)
HTTP_Shells_Ksh
Detects attempts to cause the Korn shell to execute commands.
This signature detects any calls to the Korn shell at any location (not only the cgi-bin
directory) within or outside the Web server.
This signature replaces HTTP_Shells.
More information:
IBM X-Force:Shell interpreters can be used to execute commands on Web servers
(http://www.iss.net/security_center/static/146.php)
CVE-1999-0509 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0509)
Chapter 2.Web application security categories
45
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_Shells_Perl
Detects attempts to cause the Perl shell to execute commands.
This signature detects any calls to the Perl shell at any location (not only the cgi-bin
directory) within or outside the Web server.
This signature replaces HTTP_Shells.
More information:
IBM X-Force:Shell interpreters can be used to execute commands on Web servers
(http://www.iss.net/security_center/static/146.php)
CVE-1999-0509 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0509)
HTTP_Shells_Perl_Exe
Detects attempts to cause the Perl shell to execute commands.
This signature detects any calls to the Perl shell at any location (not only the cgi-bin
directory) within or outside the Web server.
This signature replaces HTTP_Shells.
More information:
IBM X-Force:Shell interpreters can be used to execute commands on Web servers
(http://www.iss.net/security_center/static/146.php)
CVE-1999-0509 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0509)
HTTP_Shells_Rksh
Detects attempts to cause the restricted Korn shell to execute commands.
This signature detects any calls to the restricted Korn shell at any location (not only the
cgi-bin directory) within or outside the Web server.
This signature replaces HTTP_Shells.
More information:
IBM X-Force:Shell interpreters can be used to execute commands on Web servers
(http://www.iss.net/security_center/static/146.php)
CVE-1999-0509 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0509)
46
Proventia Web Application Security:Configuration Guide
Table 14.Injection Attack signatures (continued)
Signature name and description
HTTP_Shells_Sh
Detects attempts to cause the Bourne shell to execute commands.
This signature only detects calls to the Bourne shell in the cgi-bin directory.
This signature replaces HTTP_Shells.
More information:
IBM X-Force:Shell interpreters can be used to execute commands on Web servers