Preventing Log Evasion in IIS

One of the most important functions a Web site has is the ability to track who is visiting it, where they are coming from, and what they are doing. While logs themselves may not always be the most accurate measurement of what's going on, they do provide a high level overview useful for tracking common user functions and tasks. There are instances when certain types of data aren't logged such as referrers, cookies, user agents, and POST data.

Logging can also be used to track abnormal behavior including malicious requests sent by a potential attacker trying to break into your site. These logs can be extremely valuable in identifying if an attack was successful or not, as well as some of the exact commands that an attacker may have executed.

While performing a security review of Microsoft Internet Information Server (IIS), I started to explore IIS's logging capabilities and how they worked. Months earlier I discovered an issue in Sun One Application server that allowed an attacker to evade certain logging functionality by sending a carefully crafted request. With this in mind, I started looking at IIS to see if it had similar issues. I discovered that if an attacker sends more then 4,097 characters to any logged field, IIS will substitute the data within that field with three periods.