Preventing log evasion in IIS

Monday, 29 August 2005, 4:18 PM EST

While performing a security review of Microsoft Internet Information Server (IIS), I started to explore IIS's logging capabilities and how they worked. Months earlier I discovered an issue in Sun One Application server that allowed an attacker to evade certain logging functionality by sending a carefully crafted request. With this in mind, I started looking at IIS to see if it had similar issues. I discovered that if an attacker sends more then 4,097 characters to any logged field, IIS will substitute the data within that field with three periods. (I.E., ... )

By Robert Auger at the Web Application Security Consortium.

[ Read more ]




Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //