GEN:SID | 1:1201 |
Message | ATTACK-RESPONSES 403 Forbidden |
Summary | This event is generated when a 403 error response code is returned to a client by a webserver.
|
Impact | Information gathering.
|
Detailed Information | This event is generated when a 403 error response code is returned to a client by a webserver. This may indicate an attempt to gain unauthorized access to a web server or an application running on a web server.
The 400 series error messages are used to indicate an error on the part of the browser client making the request to a web server. The 403 response indicates a request for a forbidden resource that cannot be accessed even with authentication credentials.
Many events may indicate a determined attempt to exploit a vulnerability on the victim server.
Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker.
|
Affected Systems | All web server platforms
|
Attack Scenarios | An attacker can access the authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator.
|
Ease of Attack | Simple. Exploits for many vulnerabilities exist although no exploit code may be required.
|
Corrective Action | Disallow administrative access from sources external to the protected network.
Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied.
|
Additional References | |