Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Why don't we see more examples of web app attacks via POST? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Why don't we see more examples of web app attacks via POST?

Was just browsing my web logs again, and came across this stupid little SQL injection attempt:

GET //diary.html?storyid=3063//////////////-999.9+union+select+0-- HTTP/1.1

There were more like it. The reason I call this "stupid and simple" is that it probably didn't even work if I was vulnerable (mysql at least requires a space after the comment). So I was looking for other attempts (I found a few) but they had similar elemental mistakes, or used well known "bad" user agents that are frequently blocked (Firefox 3.5.9 ?! Really?)

So I was wondering: Why don't I see ever "better" attacks? One issue may be that web logs usually don't capture the "POST" request data. If you capture it at all, you capture it using a WAF or IDS if the request was suspect. Also, capturing full posts presents other problems. The data could be quite large, and may contain personal data that should better not be logged (usernames and passwords). 

Anybody got a good way of logging "sanitized" POST requests?


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Cloud Defender 2022


4308 Posts
ISC Handler
Jul 16th 2013

Indeed, in nearly every forensic case regarding web incidents I had to approach, logging was limited to GET requests.

The 3 main reasons appear to be: Missing knowledge, laziness and memory issue (sometimes explained as performance issues).



3 Posts
capturing POST requests can be indeed a problem if you run a website storing sensitive user information.

Another way raw request logging can be done, for Apache users, is to set up the mod_security module to log POST requests in the audit log. If you don't want to log everything, mod_security allows you to define filters for the kind of requests you want to log. As you mentioned, you may be wanting to avoid logging requests to specific pages, or those containing certain keywords (e.g, 'password'). This can be done with this extension.

If you're interested in a study that used this kind of information (logging of full raw HTTP requests) as starting point to understand how and why web attacks are carried out, you can have a look at the paper we published at NDSS this year: "Behind The Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web" (


1 Posts
ModSecurity ( has this functionality and at the right price too!

sanitiseArg -
sanitiseMatched -
sanitiseMatchedBytes -
sanitiseRequestHeader -
sanitiseResponseHeader -
2 Posts
For my webserver (a modified nweb). I do see POSTs from time to time.
INFO: Addr:
INFO: Date:Fri May 10 01:33:03 PDT 2013
INFO: request:POST\711 HTTP/1.0**Host:**X-Requested-With: XMLHttpRequest**Accep\t: application/json, text/javascript, */*; q=0.01**Connection: close**Content-L\ength: 117**Content-Type: application/x-www-form-urlencoded****:993


INFO: Addr:
INFO: Date:Tue Jun 11 16:17:59 PDT 2013
INFO: request:POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%\75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D\%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6\E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6\F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%\65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1\.1**Host: X.Y.Z.Q**User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +\**Content-Type: application/x-www-form-urlencode\d**Connection: Close**Content-Length: 263****:2150

That last is of course:
/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

I understand the second, I don't quite see where the .ru author is going in the first POST.


Sign Up for Free or Log In to start participating in the conversation!