I am new here in security.
I want to identify suspicious users on web application by analyzing web access log file. For this, I am considering CSRF attack.
For this purpose, I am generating some heuristic (possible) rules for identification of suspicious users from web log. I am not confident but still guessed some rules,
In web log,
1. Referrer URL is blank or not equal to requested URL's domain name.
for e.g.
192.168.4.6 [10/Oct/2007:13:55:36 0700] "GET /trx.php? amt=100&toAcct=12345 HTTP/1.0" 200 4926
"http://www.attacker.com/freestuff.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)"
Two fields are important here, the requested URL (/trx.php? amt=100&toAcct=12345
) and the referer ("http://www.attacker.com/freestuff.php
"). Usually, the referer is an URL from the same site (www.bank.com
). Here is a sample perl snippet, how this could be detected:
# assuming $referer is set with the, well, referer
if ( ( $referer ne '' ) && ( $referer !~ /^https?:\/\/www.bank.com\/(login|overview|trx)\.jsp/ ) )
{
# handle XSRF attack
print(“XSRF attack: $referer\n”);
}
2. If HTTP status is 403 i.e. Access Denied
(If the CSRF token is not sent, or if an invalid CSRF token is sent in requests that require a CSRF token). So, here checking of 403 status will be included. Because token can not get checked in log file.
3. By measuring the time difference of the requests of a user.
If there was no user input for several minutes and then suddenly some transfer requests are coming in, it could be an indicator that this request was triggered by something/someone else. Here, it will be needed to check time difference upto the threshold value from same IP address.(Along with this, If values are present after ?
symbol and if these would be 'pass','password','amount','amt','money', or any link and if User request status would be 200 i.e. successful or OK).
4. Multiple POST request (repeatation) from single IP address also results into CSRF.
Idempotent methods and web applications Methods PUT and DELETE are defined to be idempotent, meaning that multiple identical requests should have the same effect as a single request (note that idempotent refers to the state of the system after the request has completed, so while the action the server takes (e.g. deleting a record) or the response code it returns may be different on subsequent requests, the system state will be the same every time[citation needed]). Methods GET, HEAD, OPTIONS and TRACE, being prescribed as safe, should also be idempotent, as HTTP is a stateless protocol.
In contrast, the POST method is not necessarily idempotent, and therefore sending an identical POST request multiple times may further affect state or cause further side effects (such as financial transactions). In some cases this may be desirable, but in other cases this could be due to an accident, such as when a user does not realize that their action will result in sending another request, or they did not receive adequate feedback that their first request was successful. While web browsers may show alert dialog boxes to warn users in some cases where reloading a page may re-submit a POST request, it is generally up to the web application to handle cases where a POST request should not be submitted more than once.
5. A website might allow deletion of a resource through a URL such as
http://example.com/article/1234/delete
, which, if arbitrarily
fetched, even using GET, would simply delete the article. (I don't know what to do here)
I know, CSRF identification from log file is difficult, so, I am mentioning possible ways (i.e. heuristics) here. If wrong, correction in this is required. Any more rules/help would be appreciated.