Chapter 5

Request Data Analysis

The general who thoroughly understands the advantages that accompany variation of tactics knows how to handle his troops. The general, who does not understand these, may be well acquainted with the configuration of the country, yet he will not be able to turn his knowledge to practical account.

—Sun Tzu in The Art of War

Request Data Acquisition

Before you conduct any security analysis of inbound request data, you must ensure that you can properly access all data elements. You may recall our discussion in Chapter 1 with regard to the limited data set captured by the Common Log Format used by default web server logging facilities. We must ensure that we have proper visibility into all request data to ensure that we do not miss any potential attack vectors. For instance, if you are not able to access all of the request header data or the entire request body, you may miss attacks.

Even if you have configured your system to access these request elements, attackers may attempt to purposefully break the data access or analysis processes in order to sneak their attacks through. The concept of “fail open” in which systems allow data to pass through when errors are encountered is a serious security concern. The recipes in this chapter outline key points to consider for data proper acquisition and analysis.