ISCAP Proceedings - 2023

Albuquerque NM, November 2023

2023 ISCAP Proceedings: Abstract Presentation

Web Application Attack Data Collected in the Wild

Geoff Stoker
University of North Carolina Wilmington

Thomas Janicki
University of North Carolina Wilmington

ABSTRACT In this article, we provide access to sets of attack data seen in the wild that were used against two different web applications in spring 2023. This data, we believe, will be of benefit to cybersecurity-interested teachers and students. We also conduct a brief analysis of the attack strings and offer suggestions about how this data might be used for instructional and learning purposes. 1. INTRODUCTION On April 10, 2023, an attacker attempted ~400 times to compromise a web application with a database backend being used to register users for an information technology event. Ten days later, an attacker tried over 550 times to compromise a different web application. The nearly 1,000 database records of attack data left behind provide an opportunity to observe and analyze an attack “in the wild” and, we expect, is likely of interest to cybersecurity teachers and students. 2. ATTACK DATA SETS The attack data is partly listed in Appendix A. We provide there the first 50 entries for each attack session and provide Dropbox links to two comma-separated value (CSV) files that contain the entire set of attack data. The two sets of attack data are noticeably different. The first set includes attempts at command injection ( where the attacker is trying to get the web application to pass known commands to the underlying operating system (Weilin, 2022). This set of attack data used the same string for the first and last name input text form elements for every entry: Kxvrbkwh Kxvrbkwh and tried inserting 390 different attack strings via the email input form element. Email input was limited to 75 characters, so while a few attack strings are truncated, most are complete. A brief Google search for Kxvrbkwh reveals that the same string has been used during attacks against other database-driven web applications over the past few years. Google returned “about 1,120 results” when we did the search. An example where “kXvrbKwH” can be seen is on the Balochistan Public Procurement Regulation Authority public complaints page: https://www. The second data set includes attempts at structured query language (SQL) injection ( SQL_Injection) where the attacker is submitting specially crafted SQL statements via the email input form element in an attempt to exploit the application’s backend database (Kingthorin, 2023). Email input was limited to 50 characters with this web application, so most attack strings are truncated and only a few may be listed in full. 3. POTENTIAL USE Besides potentially being of general interest to cybersecurity-curious students and educators, there are many ways in which this attack data could feasibly be used in a course. For example: • Assign one attack string for each student to research and then have them create a 15-30 second video reporting on what they learned. Have all students watch all videos. • Have teams of students investigate how an attack string could be successful and then have them create virtual machines (VM) configured to be vulnerable; demonstrate the attack use and effect in a short video. • Provide students with a VM hosting a vulnerable web application. Have them figure out what needs to be changed to prevent the attack and make the fix. 4. ATTACK EXAMPLES DISCUSSION We have not examined all attacks in detail but wanted to provide a brief discussion to better show how simply investigating and understanding an attack can be a valuable learning experience. In the first table in Appendix A, the fourth example attack string (highlighted) is: /../../../../../../../../../../windows/system32/BITSADMIN.exe This attack combines knowledge of relative path traversal with knowledge of the existence of a command-line Windows program, Background Intelligent Transfer Service (BITS). Students who get a solid grasp of the meaning of /../../../../../../../../../../ will have a better understanding of the hierarchical nature of computer file systems and how the symbols “..” can be referenced to access a higher-level directory regardless of its actual name. There is also the possibility they will discover which operating system family uses the forward slash (/) and which uses the back slash (\) when providing a multi-level directory path and learn to pay closer attention to those kinds of details. Students would also discover that the attacker was apparently trying to invoke BITS, which can be used to create jobs to upload or download files (White et al., 2019). With a bit of online research, they will learn that threat analysts have observed attackers making use of BITS to maintain a persistent foothold on computers through reboot involving the use of malware like KEGTAP and RYUK ransomware (Goody et al., 2020; Via & Runnels, 2021). Providing students with a selection of SQL injection strings from the second Appendix A table would quickly expose them to important ideas. Those with no database experience would see the structure/syntax and begin to appreciate the importance and intuitive meaning of commands like AND, OR, FROM, IF, and SELECT. Students both with and without database experience might see an array of more specialized commands, like JSON_KEYS, GTID_SUBSET, and UPDATEXML, that leads them to investigate what the commands do and why they are important to both developers and potential hackers. 5. CONCLUSION This brief article was created to simply share some attack data seen in the wild and suggest ways in which cybersecurity-interested students and instructors might make use of it.