Question

A security analyst sees some suspicious entries in a log file from a web server website, which has a form that allows customers to leave feedback on the company's products. The analyst believes a malicious actor is scanning the web form. To know which security controls to put in place, the analyst first needs to determine the type of activity occurring to design a control. Given the log below:

TIMESTAMP SOURCEIP CUST CONTACT PROD COMMENTS
10:00:04 aaaaa Phone Widget1 Noneleft
10:00:04 bbbbb Phone Widget1 Noneleft
10:00:05 cccc Phone Widget1 ../../etc/passwd
10:01:03 ddddd Phone Widget1 Noneleft
10:01:04 eeeee Phone Widget1 Noneleft
10:01:05 fffff Phone Widget1 1=1
10:03:05 Joe Phone Widget1 Love the Widget!
10:04:01 ggggg Phone Widget1 script
10:05:05 hhhhh Phone Widget1 wget cookie
10:05:05 iiiii Phone Widget1 Noneleft
10:05:06 jjjjjj Phone Widget1 Noneleft

Which of the following is the MOST likely type of activity occurring?

A. SQL injection
B. XSS scanning
C. Fuzzing
D. Brute forcing

Answer 1

The MOST likely type of activity occurring based on the log is:

C. Fuzzing

How to explain this?

The entries show attempts to input unusual or unexpected data into the web form fields, including directory traversal (.. /.. / e tc / passwd), SQL injection (1=1), and suspicious keywords like "script," "wget cookie," indicating systematic testing to identify vulnerabilities.

This behavior aligns more closely with a pattern consistent with fuzzing, which involves inputting diverse and invalid data to uncover system weaknesses or vulnerabilities.