66
Well Known Common
Web Vulnerabilities
•Target: all of the above
•
•How: exploit web server/application server vulnerability, regardless of   specific application deployed
•
•Log manifestation (path):
–non application paths (or path fragments) – e.g. /bin/, winnt, system32, _vti_bin, _prvivate, shtml.exe
–non application files (especially executables) - e.g. cmd.exe, perl.exe, sh, application.cfm, global.asa, nph-test-cgi, test-cgi, showcode.asp
–weird (and uncommon) extensions – idq, ida, htw
–Encoding tricks
•
•False alarms: unlikely
Example
Remote command execution (IIS double decode bug): /scripts/..%255c..%255cwinnt/system32/cmd.exe?dir+c:\
and few thousand more...
Can also span HTTP headers and script parameters