HTTP-delivered attacks

HTTP-delivered attacks against web servers

This data is a snapshot as of June 1, 2006. Changes from the data set described in Learning DFA Representations of HTTP for Protecting Web Applications by Kenneth L. Ingham, Anil Somayaji, John Burge, and Stephanie Forrest will be described here (currently, no changes have been made).

Each of these links contains:

The data the transport layer delivers to the web server.
Links to various sources of information about the attack (e.g., CVE, Bugtraq, CERT). Sources for this include:
Which server(s) (e.g., IIS, Apache, etc) were attacked.
A description of how the attack works. This description is based on information provided with the attack (if from Bugtraq), from other descriptions of the attack, and/or from personal inspection of the attack and the code that generates it.
An attempt at categorizing the flaw that allowed the attack to succeed.
How I obtained the attack. The methods I used include:
1. Using snort to grab the attack ``off-the-wire'' as someone tried to attack one of my web servers.
2. Running the exploit program against a honeypot. In many cases I had to fix bugs in the exploit code to get it to run reliably enough to attack the honeypot.
Sources for attacks not collected directly include:
Source code for programs needed to run the attack, when available and appropriate. The source is what I actually used (i.e., the bugfixed source), so it may differ from what is available elsewhere on the Internet.

The whole database is also available as a gzipped tar file.

This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.

Sorted by Name

Number	Name	Category	Effect	Victim server	OS	Source
	Statistics	Buffer overflow: 10 Failure to Handle Exceptional Conditions: 2 File disclosure: 1 Information leak: 1 Input validation error: 22 Poor memory management: 1 Poor resource management: 2 Signed interpretation of unsigned value: 4 URL decoding error: 22	Denial of Service: 12 File disclosure: 1 Path disclosure: 2 Remote access: 31 Remote reconfiguration: 2 Unauthorized file access: 16 Write files as web server user: 1	Active Perl ISAPI: 1 AltaVista Search Engine: 4 AnalogX SimpleServer:WWW v1.01: 1 Apache: 10 Apache with mod_php: 4 Apache, NCSA: 6 CERN 3.0A: 1 FrontPage Personal Web Server: 1 Hughes Technologies Mini SQL: 1 IIS: 29 InetServ 3.0: 1 Netscape FastTrack 2.01a: 1 Nortel Contivity Extranet Switches: 2 OmniHTTPd: 1 PlusMail: 2	BSD: 1 Any Unix/Linux: 2 FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2: 1 Linux, BSD, Unix: 6 NT: 2 OpenBSD: 1 SCO UnixWare: 1 Solaris x86: 1 Unix: 6 VxWorks: 2 Windows: 35 Windows NT: 1 Windows, Linux, BSD, Unix: 3 Windows, Linux, AIX, Mac OS X, BSD: 3	Bugtraq: 7 Captured with snort: 20 Cerberus: 1 Lincoln Labs data: 2 No Source information: 3 OSVDB: 2 Packetstorm: 24 Packetstorm, Bugtraq: 5 Packetstorm, NTBugtraq: 1
33	ADSI path disclosure	Information leak	Path disclosure	IIS	Windows	Packetstorm, NTBugtraq
46	Active Perl ISAPI buffer overflow	Buffer overflow	Remote access	Active Perl ISAPI	Windows	Packetstorm
31	AltaVista Search Engine Directory Traversal	Input validation error	Unauthorized file access	AltaVista Search Engine	Linux, *BSD, Unix	Bugtraq
32	AltaVista Search Engine Directory Traversal	Input validation error	Unauthorized file access	AltaVista Search Engine	Linux, *BSD, Unix	Bugtraq
29	AltaVista Search Engine Directory Traversal	Input validation error	Unauthorized file access	AltaVista Search Engine	Linux, *BSD, Unix	Packetstorm
30	AltaVista Search Engine Directory Traversal	Input validation error	Unauthorized file access	AltaVista Search Engine	Windows	Bugtraq
60	Apache Sioux	Poor memory management	Denial of Service	Apache	FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2	Lincoln Labs data
59	Apache Win32 .var File Web Path Disclosure	Input validation error	Path disclosure	Apache	Windows	No Source information
58	Apache Win32 Directory Traversal	URL decoding error	Remote access	Apache	Windows	OSVDB
57	Apache Win32 Directory Traversal	URL decoding error	Unauthorized file access	Apache	Windows	OSVDB
61	Beck, variant 1	Poor resource management	Denial of Service	Apache	Any Unix/Linux	Packetstorm
62	Beck, variant 2	Poor resource management	Denial of Service	Apache	Any Unix/Linux	Packetstorm
45	CERN 3.0 heap overflow	Buffer overflow	Denial of Service	CERN 3.0A	Windows, Linux, *BSD, Unix	Packetstorm
22	Chunked transfer error	Signed interpretation of unsigned value	Denial of Service	Apache	Windows, Linux, *BSD, Unix	Bugtraq
23	Chunked transfer error	Signed interpretation of unsigned value	Denial of Service	Apache	Windows, Linux, *BSD, Unix	Bugtraq
24	Code-red	Buffer overflow	Remote access	IIS	Windows	Captured with snort
25	GET Buffer Overflow	Buffer overflow	Remote access	Netscape FastTrack 2.01a	SCO UnixWare	Packetstorm
47	IIS 5 remote .printer overflow	Buffer overflow	Remote access	IIS	Windows	Packetstorm
26	Long GET Request Vulnerability	Buffer overflow	Remote access	InetServ 3.0	Windows	Packetstorm
48	Long Request Buffer Overflow	Buffer overflow	Denial of Service	OmniHTTPd	Windows	Packetstorm
43	MS IIS/PWS Escaped Characters Decoding Command Execution	URL decoding error	Remote access	IIS	Windows	Packetstorm
44	MS IIS/PWS Escaped Characters Decoding Command Execution	URL decoding error	Remote access	IIS	Windows	Packetstorm
55	Microsoft FrontPage PWS Directory Traversal	Input validation error	Unauthorized file access	FrontPage Personal Web Server	Windows	Packetstorm, Bugtraq
64	Microsoft IIS '../..' Denial of Service Vulnerability, variant 1	Failure to Handle Exceptional Conditions	Denial of Service	IIS	NT	No Source information
65	Microsoft IIS '../..' Denial of Service Vulnerability, variant 2	Failure to Handle Exceptional Conditions	Denial of Service	IIS	NT	Lincoln Labs data
40	Microsoft IIS Chunked Encoding Transfer Heap Overflow	Buffer overflow	Remote access	IIS	Windows	Packetstorm, Bugtraq
63	Microsoft IIs '..' hole	File disclosure	File disclosure	IIS	Windows NT	No Source information
50	Mini-SQL w3-msql Buffer Overflow	Buffer overflow	Remote access	Hughes Technologies Mini SQL	Solaris x86	Packetstorm
27	NT Index Server Directory Traversal 01	Input validation error	Unauthorized file access	IIS	Windows	Cerberus
28	NT Index Server Directory Traversal 02	Input validation error	Unauthorized file access	IIS	Windows	Packetstorm
01	Nimda, variant 01	URL decoding error	Remote access	IIS	Windows	Captured with snort
02	Nimda, variant 02	URL decoding error	Remote access	IIS	Windows	Captured with snort
03	Nimda, variant 03	URL decoding error	Remote access	IIS	Windows	Captured with snort
04	Nimda, variant 04	URL decoding error	Remote access	IIS	Windows	Captured with snort
05	Nimda, variant 05	URL decoding error	Remote access	IIS	Windows	Captured with snort
06	Nimda, variant 06	URL decoding error	Remote access	IIS	Windows	Captured with snort
07	Nimda, variant 07	URL decoding error	Remote access	IIS	Windows	Captured with snort
08	Nimda, variant 08	URL decoding error	Remote access	IIS	Windows	Captured with snort
09	Nimda, variant 09	URL decoding error	Remote access	IIS	Windows	Captured with snort
10	Nimda, variant 10	URL decoding error	Remote access	IIS	Windows	Captured with snort
11	Nimda, variant 11	URL decoding error	Remote access	IIS	Windows	Captured with snort
12	Nimda, variant 12	URL decoding error	Remote access	IIS	Windows	Captured with snort
13	Nimda, variant 13	URL decoding error	Remote access	IIS	Windows	Captured with snort
14	Nimda, variant 14	URL decoding error	Remote access	IIS	Windows	Captured with snort
15	Nimda, variant 15	URL decoding error	Remote access	IIS	Windows	Captured with snort
16	Nimda, variant 16	URL decoding error	Remote access	IIS	Windows	Captured with snort
17	Nimda, variant 17	URL decoding error	Remote access	IIS	Windows	Captured with snort
18	Nimda, variant 18	URL decoding error	Remote access	IIS	Windows	Captured with snort
52	Nortel Contivity File Viewing, variant 2	Input validation error	Unauthorized file access	Nortel Contivity Extranet Switches	VxWorks	Packetstorm
51	Nortel Contivity File Viewing, variant one	Input validation error	Unauthorized file access	Nortel Contivity Extranet Switches	VxWorks	Packetstorm
20	Nosejob	Signed interpretation of unsigned value	Remote access	Apache	*BSD	Packetstorm
56	PHP File Upload	Input validation error	Write files as web server user	Apache with mod_php	Linux, *BSD, Unix	Bugtraq
42	PHP HTTP POST Incorrect MIME Header Parsing	Input validation error	Denial of Service	Apache with mod_php	Linux, *BSD, Unix	Captured with snort
41	PHP HTTP POST Incorrect MIME Header Parsing	Input validation error	Denial of Service	Apache with mod_php	Linux, *BSD, Unix	Packetstorm, Bugtraq
49	PHP Interpreter Direct Invocation	Input validation error	Denial of Service	Apache with mod_php	Windows, Linux, AIX, Mac OS X, *BSD	Bugtraq
53	PowerScripts PlusMail WebConsole Poor Authentication	Input validation error	Remote reconfiguration	PlusMail	Windows, Linux, AIX, Mac OS X, *BSD	Packetstorm, Bugtraq
54	PowerScripts PlusMail WebConsole Poor Authentication	Input validation error	Remote reconfiguration	PlusMail	Windows, Linux, AIX, Mac OS X, *BSD	Packetstorm, Bugtraq
19	Remote GET Buffer Overflow Vulnerability	Buffer overflow	Remote access	AnalogX SimpleServer:WWW v1.01	Windows	Packetstorm
21	Scalp	Signed interpretation of unsigned value	Remote access	Apache	OpenBSD	Packetstorm
34	phf CGI Arbitrary Command Execution (and related), variant 1	Input validation error	Unauthorized file access	Apache, NCSA	Unix	Packetstorm
35	phf CGI Arbitrary Command Execution (and related), variant 2	Input validation error	Unauthorized file access	Apache, NCSA	Unix	Packetstorm
36	phf CGI Arbitrary Command Execution (and related), variant 3	Input validation error	Unauthorized file access	Apache, NCSA	Unix	Packetstorm
37	phf CGI Arbitrary Command Execution (and related), variant 4	Input validation error	Unauthorized file access	Apache, NCSA	Unix	Packetstorm
38	phf CGI Arbitrary Command Execution (and related), variant 5	Input validation error	Unauthorized file access	Apache, NCSA	Unix	Packetstorm
39	phf CGI Arbitrary Command Execution (and related), variant 6	Input validation error	Unauthorized file access	Apache, NCSA	Unix	Packetstorm

Data collected by Kenneth Ingham.