Attack Signature Reference

Complete list of attack patterns detected by WebDecoy.

Overview

WebDecoy analyzes request data for known attack patterns. When detected, these signatures contribute to the threat score and help classify the attack type.

SQL Injection

Description

Attempts to manipulate SQL queries by injecting malicious SQL code.

Detection Patterns

Pattern	Example	Confidence
Basic OR injection	`' OR '1'='1`	High
UNION SELECT	`UNION SELECT * FROM users`	High
Comment termination	`admin'--`	Medium
DROP/DELETE	`'; DROP TABLE users--`	High
Time-based blind	`'; SLEEP(5)--`	High
Error-based	`' AND 1=CONVERT(int,@@version)--`	High

Common Locations

Form fields (username, password)
URL parameters
POST body (JSON, form-encoded)
Cookie values

MITRE Mapping

T1190 - Exploit Public-Facing Application

Score Impact

+30-45 points depending on complexity

Cross-Site Scripting (XSS)

Description

Attempts to inject malicious scripts that execute in other users’ browsers.

Detection Patterns

Pattern	Example	Confidence
Script tags	`<script>alert('xss')</script>`	High
Event handlers	`<img onerror="alert('xss')">`	High
JavaScript URIs	`javascript:alert('xss')`	Medium
SVG injection	`<svg onload="alert('xss')">`	High
Data URIs	`data:text/html,<script>...`	Medium
Template injection	`{{constructor.constructor('...')}}`	High

Common Locations

Comment fields
Search queries
User profile fields
Any user-generated content

MITRE Mapping

T1059.007 - Command and Scripting Interpreter: JavaScript

Score Impact

+25-40 points

Command Injection

Description

Attempts to execute system commands through the application.

Detection Patterns

Pattern	Example	Confidence
Command chaining	`; ls -la`	High
Pipe injection	`	cat /etc/passwd`
Backtick execution	`whoami`	High
Subshell	`$(cat /etc/passwd)`	High
Newline injection	`\nwhoami`	Medium
AND/OR chaining	`&& rm -rf /`	High

Common Locations

File path parameters
Filename uploads
System-related inputs
API parameters

MITRE Mapping

T1059 - Command and Scripting Interpreter

Score Impact

+35-50 points

Path Traversal

Description

Attempts to access files outside the intended directory.

Detection Patterns

Pattern	Example	Confidence
Dot-dot-slash	`../../../etc/passwd`	High
Encoded traversal	`%2e%2e%2f%2e%2e%2f`	High
Double encoding	`%252e%252e%252f`	High
Windows paths	`..\..\..\..\windows\system32`	High
Null byte	`../../../etc/passwd%00`	High
Absolute paths	`/etc/passwd`	Medium

Common Locations

File download parameters
Image/asset paths
Include parameters
Template paths

MITRE Mapping

T1083 - File and Directory Discovery

Score Impact

+20-35 points

XML External Entity (XXE)

Description

Attacks against applications that parse XML, allowing access to internal files or SSRF.

Detection Patterns

Pattern	Example	Confidence
DOCTYPE declaration	`<!DOCTYPE foo [<!ENTITY...`	High
SYSTEM entity	`<!ENTITY xxe SYSTEM "file:///etc/passwd">`	High
Parameter entities	`%xxe;`	Medium
Remote DTD	`<!ENTITY % remote SYSTEM "http://...">`	High

Common Locations

XML API endpoints
SOAP services
File upload (SVG, DOCX)
Configuration imports

MITRE Mapping

T1059 - Command and Scripting Interpreter

Score Impact

+30-45 points

LDAP Injection

Description

Manipulation of LDAP queries to bypass authentication or extract data.

Detection Patterns

Pattern	Example	Confidence
Filter injection	`)(uid=*`	High
Wildcard abuse	`)(objectclass=`	High
Comment bypass	`admin)(password=*)`	High
Boolean injection	`)(	(uid=*`

Common Locations

Login forms
User search
Directory lookups

MITRE Mapping

T1190 - Exploit Public-Facing Application

Score Impact

+25-40 points

NoSQL Injection

Description

Injection attacks targeting NoSQL databases like MongoDB.

Detection Patterns

Pattern	Example	Confidence
Operator injection	`{"$gt": ""}`	High
Where clause	`{"$where": "function()..."}`	High
Regex injection	`{"$regex": ".*"}`	Medium
Not equal bypass	`{"password": {"$ne": ""}}`	High

Common Locations

JSON API bodies
Query parameters (parsed as JSON)
GraphQL variables

MITRE Mapping

T1190 - Exploit Public-Facing Application

Score Impact

+25-40 points

Server-Side Request Forgery (SSRF)

Description

Attempts to make the server request arbitrary URLs.

Detection Patterns

Pattern	Example	Confidence
Internal IPs	`http://192.168.1.1`	High
Localhost	`http://127.0.0.1`, `http://localhost`	High
Cloud metadata	`http://169.254.169.254`	High
File protocol	`file:///etc/passwd`	High
Internal hostnames	`http://internal.corp`	Medium

Common Locations

URL parameters
Webhook configurations
Image/file fetch
PDF generation

MITRE Mapping

T1046 - Network Service Scanning

Score Impact

+25-40 points

Log Injection

Description

Attempts to manipulate log files or inject fake log entries.

Detection Patterns

Pattern	Example	Confidence
Newline injection	`\n[INFO] Fake log entry`	Medium
Carriage return	`\rFake entry`	Medium
Log format injection	`127.0.0.1 - admin [...]`	Medium

Common Locations

User-agent header
Username fields
Any logged input

Score Impact

+15-25 points

Header Injection

Description

Attempts to inject malicious HTTP headers.

Detection Patterns

Pattern	Example	Confidence
Header injection	`\r\nX-Injected: value`	High
Response splitting	`\r\n\r\n<html>`	High
Cookie injection	`\r\nSet-Cookie: session=...`	High

Common Locations

Redirect parameters
Header values from user input

Score Impact

+20-30 points

Detection Format

When an attack signature is detected, it’s recorded as:

{
  "attack_signatures": [
    {
      "type": "sql_injection",
      "pattern": "' OR '1'='1",
      "location": "body.password",
      "confidence": "high",
      "score_impact": 40
    },
    {
      "type": "xss",
      "pattern": "<script>",
      "location": "body.comment",
      "confidence": "high",
      "score_impact": 35
    }
  ]
}

Multiple Signatures

When multiple attack types are detected in a single request:

Each signature adds to the score
Maximum combined impact is capped at 95
Indicates sophisticated or automated attack