£199.99 £139.99 for one year of Unlimited learning. Offer ends on 14 November 2022 at 23:59 (UTC). T&Cs apply

Find out more
Skip main navigation


In this video, Paulo Silva will explain system monitoring and what to look for in the logs to indicate an attack.
Welcome back to Insufficient Logging and Monitoring session. In this second part, we will exploit our target application while analyzing its logging and monitoring approach. We will jump straight to our intentionally vulnerable application, and then move on to the mitigation part. In our broken authentication session, we exploited our target application using a brute force attack called Credential Stuffing. We will do the same, but now, we will focus on what is logged by our target application and how it looks like while it is under attack. To do that, we will access Juice Shop server, running on a virtual machine in our one computer, using the terminal window in the top right corner of the screen.
Juice Shop runs in a Docker container and logs are kept locally. To be able to inspect the logs, we have to access the container itself. To do so, we ran the sudo docker exec -it juice-shop/bin/sh.
Inside the container, we can see a directory called Logs, where log files are stored.
There are only access log files. Apparently there is no effort logging at all, but we will discuss it later in the mitigation part. Let’s see what is written to the log file while the user performs authentication in the web application. Let’s type tail - n 0 - f, followed by the name of the access log file.
Now let’s use the login form to log in as admin using the wrong passwords.
We’ve got three new entries. Two of them to the /rest/users/whoami endpoint, and the third one to the /rest/user/login endpoint.
The log entry includes the user source IP, the request date and time, the end point, the URL from where the request came from, and finally, the user agent.
We also have the HTTP response that is code, in this case the 401. On a successful login, we should expect it to be a 200 status code. Now we will keep monitoring the access log and start the credential stuffing attack the terminal window, at the bottom right of the screen. Let’s first clear the screen and monitor the access log file using the same commands. To start the credential stuffing attack, we run our scripts, passing the admin, email address, and a password list.
At first, we have solved two Juice Shop challenges. We have done it before on our broken authentication session. Let’s focus on the new entries in the log file on the top right terminal. We can see several new entries in the log file, all of them to the /rest/user/login endpoint, with a 401 HTTP response status code.
Suddenly, we have a 200 that should be a response status code to that same endpoint, meaning that we got the right user account password, via our credential stuffing attack. Clearly, logging does not include sufficient details. We have several failed login attempts with the 401 response status code, but we don’t know if several accounts are being used or they are all targeting the same account. What is the case? Juice Shop does not include any monitoring or alerting. Attackers may use different source IP addresses to perpetrate such attacks. And entries in the log file may be confused with regular activity. What we have here is definitely insufficient monitoring. Next we will discuss what makes the application vulnerable and how to prevent it.

In this video, you will learn more about system monitoring and what to look for in the logs to indicate an attack.

You will go through a demonstration with OWASP Juice Shop in this video so you can see what the system shows when it is under attack. Monitoring is important for identifying attacks as soon as possible so that you can limit the damage from the attack.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education