Review Web Application Root Cause and Exposure Window

Post-Incident ReviewP275 min
๐ŸŒ Web Application Compromise

Perform a web-app-specific post-incident review focused on the exploited weakness, the exposure window, and which telemetry would have shortened time-to-detect.

Actions

  1. 1.Reconstruct the full exploit path from reconnaissance through shell or code execution, including the first vulnerable request, post-exploitation access, and any lateral movement from the web tier.
  2. 2.Document the code, infrastructure, and deployment weaknesses that enabled exploitation: missing patches, insecure upload paths, weak secrets handling, or over-privileged service accounts.
  3. 3.Review WAF, load balancer, and web-server coverage to identify where visibility or blocking should have occurred but did not.
  4. 4.Define remediation tasks for application validation, deployment hardening, secret rotation, and web-shell detection coverage.

Queries

AzureDiagnostics | where TimeGenerated > ago(30d) | where ResourceType has "APPLICATIONGATEWAYS" or Category has "ApplicationGatewayFirewallLog" | summarize count() by RuleId, clientIP_s, requestUri_s
index=web earliest=-30d (uri_query="*../*" OR uri_query="*union select*" OR uri_query="*cmd*" OR uri_path="*.php" OR uri_path="*.aspx") | stats count by uri_path, clientip

Notes

  • A web-app post-incident review is incomplete if it ends at the web shell. The team needs the exploit chain and the exposure window.
  • Secret rotation should include deployment credentials, service principals, and any application secrets reachable from the compromised tier.