🌐 Web Application Compromise Response Quickstart

Determine how the attacker gained access to the web application by reviewing WAF logs, web-server access logs, and application error logs for evidence of exploitation. Look for SQL injection patterns, path-traversal attempts, deserialization attacks, file-upload exploits, or authentication-bypass indicators. Identifying the specific vulnerability is essential for immediate patching and for understanding whether the attack was automated (mass scanning) or targeted.

Isolate the compromised web server from the production network while preserving its current state for forensic analysis. Options include removing it from the load-balancer pool while keeping it running, applying firewall rules to block all inbound traffic except from forensic workstations, or placing it in an isolated VLAN. Avoid powering off the server as this destroys volatile evidence including running processes, network connections, and memory contents.

Immediately rotate or disable credentials for all service accounts associated with the web application, including database connection strings, API keys, cloud-service credentials, and SMTP relay accounts. If the attacker achieved code execution on the web server, they likely have access to configuration files containing these credentials. Change passwords for the application database user and any backend service accounts before the attacker can use them for lateral movement.

Establish the earliest evidence of compromise by reviewing authentication logs, web-server access logs, and file-modification timestamps. Look for the first successful exploitation attempt, the first web-shell upload, or the first anomalous process execution. Bounding the timeframe determines how far back log analysis must extend and helps estimate the duration of attacker access, which is critical for assessing potential data exposure.

Acquire a full memory dump of the compromised web server using LiME or a similar tool appropriate for the server operating system. Memory analysis can reveal running web shells, injected code in web-server processes, active reverse shells, credential material, and decrypted HTTPS session data. This is especially valuable for detecting in-memory-only web shells that do not exist on disk and would be missed by file-system analysis alone.

Conduct a systematic sweep of the web-application document root and upload directories for web shells. Use multiple detection methods: file-system timeline analysis to find recently created or modified files, YARA rules targeting known web-shell signatures, entropy analysis to detect obfuscated payloads, and comparison of the current file system against a known-good deployment baseline. Check for web shells in unexpected locations such as image directories, temp folders, and framework cache directories.

Apply patches or mitigations for the exploited vulnerability before restoring the web application to production. This may involve applying vendor security patches, deploying WAF rules to block the exploit pattern, updating application framework versions, or modifying application code to fix custom vulnerabilities. Verify the patch effectiveness by attempting to reproduce the exploit in a staging environment. Do not restore the application to production until the vulnerability is confirmed closed.