Consider a simple scenario where you are tasked with finding the origin of incoming attacks on a particular web application. The only thing you know about the network is that the application is internally hosted and is not connected to the outside world. There is a caching proxy running in the network as well. As the forensic investigator, the first thing you requested from the client is the logs of the application server, which you started to investigate in Apache Logs Viewer:
We quickly deduce that there are two IP addresses of supreme interest, 192.168.174.157 and 192.168.174.150, and since the User-Agent contains sqlmap, it's a SQL injection attempt. We can also see the requests that contain buzzwords, such as WHERE and SELECT, which are typically used in SQL injections on a vulnerable parameter...