possible attack as a result of site.webmanifest

Question

possible attack as a result of site.webmanifest

Opened this issue 6 years ago · 0 comments

I was checking server logs this morning and am trying to understand the requests that came in from so many IP's for requests such as this - is there a possibility of a brute force attack based on favicons?

There was no other traffic to the site for over 30mins because of the requests, here is an example of the requests;

47.89.225.22 - - [25/Jan/2019:20:36:31 +0800] "GET /favicons/site.webmanifest?v=694xA8w8Oq'+union+select+0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725+--+ HTTP/1.1" 404 - "https://example.com/favicons/site.webmanifest?v=694xA8w8Oq'+union+select+0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725,0x5e73266725+--+" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Thanks in advance