Detecting indicators of compromise in web applications using access logs

There are many web applications that have security issues and reports from the largest security companies indicate that with the passage online due to the pandemic, web applications have increased in number and attackers have begun to attack them more and more. There are even reports that web applications have come first as the preferred method for attackers to enter a network. The most attacked web applications are those whose source code is public, and then anyone can see the source code to obtain unauthorized access to the application. In this article we want to look at things from another angle. We want to focus more on unauthorized access and not on the vulnerability through which someone obtained that unauthorized access. We propose an automatic method by which we determine at the level of access log those lines which indicates unauthorized access. One of the biggest advantages that this method, we propose, brings to the security of web applications, is that it does not focus on the complexity of the attack, but more if the attack exists or not. And one of the disadvantages of this method would be that we cannot find out through which vulnerability an unauthorized access was reached. In our tests we noticed that for some applications, depending on how they are built and how they respond to user requests, we can use with great success our method by which we discover these unauthorized accesses.