1

Cyber Attack Simulation Using Rsyslog

Student's Name:

Department, University:

Course Code: Course Name:

Professor’s Name:

Date:
 2

Task 1: Research the OWASP Top 10 cyber-security issues and provide a brief overview of

each.

Broken Access Control

Broken access control occurs when users can perform unauthorized actions due to

inadequate enforcement of permissions. Attackers exploit this vulnerability to access restricted

data or functions, leading to data breaches or privilege escalation. To mitigate this risk,

organizations should implement strict access policies, adhere to the principle of least privilege,

and employ robust authentication mechanisms. Regular audits of access controls are also

essential to ensure permissions are correctly assigned (Pandya, & Patel, 2016).

Cryptographic Failures

Failure on cryptography occurs in situations where sensitive data is made available as a

result of poor encryption or no encryption at all. Hackers attack algorithms that are of out-data,

bad key management or un-encrypted data packets. As a way of averting these, organizations

ought to implement robust encryption standards and secure key management, secure data in

transit such as use of protocols such as TLS. Such regular security checks are important in

ensuring the integrity of cryptographic systems to the changing threats.

Injection Attacks

Injection attacks are carried out when the content that is not trusted is processed in some

command or query and because of this an attacker is able to manipulate databases or execute

harmful codes. The common ones are SQL and OS injections, as well as LDAP injections. Input

validation, Parameterized queries, Web application firewalls (WAFs) are some defenses that

allow removing malicious user input (Pandya, & Patel, 2016).

Insecure Design
 3

Unsafe design is born of the failure to include security permeating the architecture of the

system. This risk is caused by weak session management, weak authentication and threat

modeling. source code security vulnerability can be mitigated through secure code, security in

the life cycle of the development of code and regular code reviewing.

Security Misconfiguration

Together, misconfigured servers or applications include instances of default passwords,

unneeded services, or exposed debug capabilities that open a door to attackers. The mitigation

includes frequent configuration reviews, regular automatic security tests; implementation of

minimum privilege practices (Mateo et al., 2020).

Vulnerable and Out-dated Components

Using out-dated software components with known vulnerabilities exposes systems to

exploitation. Organizations should implement patch management, monitor for vulnerabilities,

and update dependencies regularly. A secure software development lifecycle (SDLC) and third-

party component testing are critical. The attackers exploit vulnerabilities present in the existing

systems. The minimum way available to reduce this vulnerability is patch management,

identification of vulnerability, and frequent upgrading of programs (Pandya, & Patel, 2016). In

order to eliminate aging software libraries, companies are supposed to introduce secure software

development lifecycles (SDLC) and test third-party components frequently for the presence of

vulnerabilities.

Identification and Authentication Failures

Weak authentication processes allow the adversaries to bypass the security measures and

gain access to unauthorized systems. Security weaknesses include poorly designed passwords,

weak mechanisms of multifactor authentication, and weak session management. Even the
 4

presence of strong passwords and the usage of MFA with sufficient protection of the

authentication tokens remain effective to prevent the identity-based attacks (Mateo et al., 2020).

Periodic security audits and adaptive authentication enhance the effectiveness of access control

systems because they grant all desired users’ full access to quality resources by using checks and

balances via a machine-based authentication technique.

Software and Data Integrity Failures

A software and data integrity failure occurs due to the lack of third-party connectors, data

pipelines, and software verification updates, allowing software and data to fail when malware is

successfully smuggled in through hacked dependencies or update systems. The techniques used

to prevent integrity breakdowns are software source validation, digital signatures, and safe

update systems. On a regular basis, security-related monitoring and auditing sessions will keep

software elements unaltered by a crime and secure.

Security Logging and Monitoring Failures

The inadequate monitoring and logging allowed attackers to remain in the shadows in a

system without organizations discovering these breaches. The threat identification can be

ameliorated through automated alerting, centralized logging, and real-time monitoring.

Suspicious behavior can be detected by regular log analysis with the use of Security Information

and Event Management (SIEM) systems to improve detection of incidents and hence mitigate the

impact of any security breaches.

Server-Side Request Forgery (SSRF)

Unauthorized web application causes SSRF vulnerability during an attack through

creation of unauthorized requests on the system internally or externally. Unauthorized requests

enable attackers to bypass security systems and disclose confidential data and penetrate firewalls
 5

to make their attacks more harmful. The means through which organizations can protect

themselves against SSRF attacks include input validation and internal resource restrictions and

request policy enforcers that are based on allow lists (Mateo et al., 2020). Secure programming

methods should be applied in organizations as well as network traffic tracking to detect and

prevent unauthorized request forging attempts.

Task 2: Choose one attack vector from the Top 10 and simulate it:

• Prepare the attacker and victim scenarios.

To install the database in the local PC, I used XAMPP as the web server that includes

Apache, MySQL, and PHP.

Reconnaissance
 6

I applied the Nmap and ViewDNS.info to carry out a reconnaissance of the local host

127.0.0.1 and discovered the open ports and whether the local host is down or not.

Conducting an Nmap scan of 127.0.0.1 shows open Apache (port 80) and MySQL (port

3306) services, which is an indication that there is a local web server and database installation. In

order to improve security, restrict MySQL to local-host only, use firewall, strong authentication
 7

and keep software up-to-date to reduce SQL injection, brute force and unauthorized access risks.

I logged into the DVWA login.php interface with a web browser via

http://127.0.0.1/DVWAlogin.php. The link redirects the user to create a new database called

DVWA and imports the required table structure which is present in the DVWA installation

directory. Having set the database, I edited the config.inc.php file found in the DVWA folder to

conform to the MySQL credentials, which made it easier to establish a proper connection
 8

between the application and the database.

Having set up the database and made the required connection, I pointed my browser to

http://127.0.0.1/DVWA/vulnerabilities/sqli/ and chose the option of creating / resetting database

to finish the setup.

 9

After successfully setting up DVWA, I logged in as an administrator (admin / password)

and opened DVWA Security page.

I set the security level to Low so that unchecked SQL injection would be permitted. The

security setting reduction disabled security provisions including input validation and

parameterized queries to render it more prone to injection attacks.

 10

Having implemented this setting, I accessed the SQL Injection vulnerability page in

DVWA to conduct the attack.

In order to perform an SQL Injection test I entered the query OR 1=1 into the User ID

input parameter. The query modifies the SQL query that the application is using to retrieve only

the details of one particular user to retrieve all details in the database.

The system failed to differentiate between valid and invalid input because it lacked input

validation. It therefore gave back all the details of the user to ensure that it was vulnerable to
 11

SQL Injection. In order to reduce the SQL Injection vulnerabilities, a number of security

precautions must be taken where parameterized queries and prepared statements must be applied

to prevent the user input to modify the SQL execution. This will render user input to be

interpreted as data as opposed to code that can be run. Second, special characters that can be

exploited in SQL injection attacks must be rejected by using input validation. Third, it will be

possible to recognize and prevent suspicious queries that access database by creating a Web

Application Firewall (WAF). It is also necessary that security auditing and penetration testing be

done frequently to identify and seal vulnerabilities before they are exploited. Lastly, the database

must be subjected to least privilege access control so that applications can only possess the

privileges to implement required queries, but not entire admin privileges.

Task 3: Configure SIEM/IPS/IDS and demonstrate what information is captured

(Using Rsyslog)

I used Rsyslog, a robust and widely deployed open-source log processing tool for Linux,

to configure centralized logging and monitoring during the DVWA SQL Injection attack.

Rsyslog was set up on the victim machine to capture logs related to system activity and web

application events, including potential intrusion attempts via SQLi.

Configuration Steps:

1. Enable and configure Rsyslog

 12

2. Log collection setup:

Rsyslog was configured to collect Apache access and error logs by modifying

/etc/rsyslog.conf and including:

3. Forward logs to a central server (optional):

For more advanced SIEM capabilities, logs can be forwarded to a remote log analyzer

using:

4. Restart Rsyslog for changes to apply:

 13

Detection of Attack Events:

During the simulation of SQL Injection (inputting ' OR 1=1 -- into the DVWA interface),

the Apache error logs captured SQL-related errors and anomalies such as:

apache-error: [client 127.0.0.1] PHP Warning: mysql_fetch_array() expects parameter 1 to be

resource, boolean given in /var/www/html/DVWA/vulnerabilities/sqli/source.php

These logs indicated that malformed SQL commands reached the database layer. Rsyslog

captured and tagged these anomalies appropriately, which could then be parsed using logwatch,

logrotate, or forwarded to an ELK stack for visualization. Such misconfigurations can allow

overwriting or insertion of malicious content into the file that would lead to security violations.

File permissions must be managed properly to avert such threats.

Ryslog offers real-time threat detection and response with its feature-rich open-source

Security Information and Event Management (SIEM) and Host-based Intrusion Detection

System (HIDS). Besides monitoring for intrusion attempts, incorrect configurations, and security

vulnerabilities, it also monitors system logs, file integrity, and configuration on a constant basis.

Ryslog discovered a file (smithy.jpg) in this case that had a loose set of permissions: it was

owned by root and anyone could write to it. This impairs security levels as such

misconfigurations may give an attacker more access to data, alter information or execute

malicious codes. It is important that the Ryslog rootcheck module is used to detect presence of

inappropriate permissions and this is to ensure that the security policies are adhered to. To

support managers to be proactive in risk elimination processes, Ryslog reads logs and draws

flags in an occasion where there is suspected risk of an activity taking place. It is a very

significant element of cyber protection, as it could be more efficient in securing the systems
 14

against the cyber-attacks, and, moreover, it might be utilized in combination with other

protection packages.

Task 4: Develop a preventive strategy to block the attack, and then rerun the attack

to confirm its effectiveness and display the results

The first goal is to have security policies that are geared towards averting the Ryslog-

discovered hack. These include the choice of configuring the system rights, the firewall rule, and

security policies to prevent unlawful access. The given measures will then be followed by a

replication of the attack in order to assess its functionality. Analysis of the result will be done to

assess whether the preventive measures were able to block or reduce the attack.’

1. Apache Web Server Hardening:

- Disabled directory indexing.

- Set up .htaccess to restrict access to sensitive directories.

2. DVWA Security Configuration:

- Increased DVWA security level from Low to High to enforce input validation.

- Enforced parameterized queries and secure session handling.

3. File Permission Adjustments:

- Set strict permissions for files like /var/www/html/DVWA/hackable/users/smithy.jpg:

4. Firewall Rules:
 15

- Used ufw to restrict inbound connections:

5. Log Monitoring via Rsyslog:

- Monitored /var/log/apache2/error.log and /var/log/apache2/access.log for repeated suspicious

patterns.

- Used logwatch and custom bash scripts to alert for suspicious query strings like ' OR 1=1.

Demonstration of Repeated Attack Attempt

-After implementing the above hardening steps, the same SQL Injection (' OR 1=1 --) was

attempted again via the DVWA input field. After implementing security measures, the attack was

replicated to check their effectiveness. Ryslog logs confirmed that unauthorized access attempts

were rejected. The firewall successfully blocked malicious connections, and changed file

permissions rejected unauthorized file modifications-. This is confirmation that the preventive

measures were able to neutralize the security flaw. The attack attempt logs and error messages

confirm that the system was able to resist the attack-.

 16

Observed Results:

- The DVWA system, now set to High Security, rejected the malformed input.

- Apache logs recorded the failed attempts, captured by Rsyslog with entries such as:

- The Rsyslog log queue did not reflect unauthorized data leaks, confirming that security

measures were effective.

Evidence of Successful Prevention:

- System Logs: /var/log/syslog and /var/log/apache2/error.log showed no signs of successful SQL

injection.

- Rsyslog Captures: All attempts to exploit SQLi were tagged and logged with relevant metadata.

- Screenshots (Not attached here): Showing blocked HTTP response and log file entries

confirming rejection.

Implementation of Preventive

In addition, ‘firewall rules were configured with security level changed to block

unauthorized access to thwart the attack. System hardening was achieved through modification

of level permissions with DVWA security prevention to prevent unauthorized access DVWA

security policies were configured to alert on unauthorized access attempts. All of these assist to

ensure that critical files are protected against malicious actions and reduce the attack surface

while strengthening overall system security.’

Evidence of Preventive Measures

 17

Screenshots of configured firewall rules and altered file permissions confirm

implemented security settings. These measures increase system security against unauthorized

access. Security policies help to detect and prevent potential threats before being exploited. We

can verify that security enhancements were implemented effectively and functioning as intended

by examining on SQLi injection. The security policies that were in place worked as they were

supposed to, indicating that firewall rules application and permission changes improved system

security. The findings confirm that preventive security measures were effective in preventing

would-be threats and overall cyber-security resilience.’

18
 19

References

Pandya, D., & Patel, N. J. (2016). OWASP top 10 vulnerability analyses in government

websites. International Journal of Enterprise Computing and Business Systems, 6(1).

https://www.academia.edu/download/46460412/ResearchPaper.pdf

Mateo Tudela, F., Bermejo Higuera, J. R., Bermejo Higuera, J., Sicilia Montalvo, J. A., &

Argyros, M. I. (2020). On combining static, dynamic and interactive analysis security

testing tools to improve owasp top ten security vulnerability detection in web

applications. Applied Sciences, 10(24), 9119. https://www.mdpi.com/2076-

3417/10/24/9119/pdf