Insufficient Logging and Monitoring

Check List

Methodology

Black Box

Undetected Brute Force on Login API

1

Identify login endpoint and Intercept request

POST /api/login HTTP/1.1
Host: target.com
Content-Type: application/json

{"username":"victim","password":"WrongPass1"}

2

Send request to Burp Intruder and Launch high-volume password attack

3

Monitor responses and account behavior

4

If no CAPTCHA, no temporary lock, no IP block, and no alert is triggered after excessive failed attempts, monitoring is insufficient

5

If attack continues without detection or interruption, logging and monitoring controls are weak

6

If brute force activity is not mitigated or logged effectively, vulnerability is confirmed

---

Silent ID Enumeration

1

Login as normal user and Intercept object request

GET /api/users/1001 HTTP/1.1
Host: target.com
Authorization: Bearer user_token

2

Send to Intruder and increment ID sequentially

3

Generate large number of requests in short time

4

If enumeration succeeds without account suspension, throttling, or session invalidation, monitoring is insufficient

5

If no protective action occurs despite abnormal access pattern, logging and alerting mechanisms are inadequate

6

If mass data harvesting is possible without detection, vulnerability is confirmed

---

Privilege Escalation Attempt Without Alert

1

Login as normal user and Attempt to access admin endpoint

GET /api/admin/dashboard HTTP/1.1
Host: target.com
Authorization: Bearer user_token

2

Repeat unauthorized access multiple times, If repeated access attempts do not trigger temporary blocking, account warning, or response delay, suspicious behavior is not monitored

3

If privilege escalation attempts can be performed repeatedly without detection, logging and monitoring are insufficient

4

If no defensive reaction occurs against repeated unauthorized function access, vulnerability is confirmed

---

Token Manipulation Attempts Not Detected

1

Login and capture JWT and Modify token payload and resend

GET /api/user/profile HTTP/1.1
Host: target.com
Authorization: Bearer tampered_token

2

Repeat with multiple malformed or forged tokens

3

If server continuously responds without triggering account lock, token invalidation, or anomaly detection, monitoring is weak

4

If repeated invalid token usage does not produce defensive response, authentication misuse is not properly logged

5

If abnormal authentication behavior is allowed without detection or mitigation, Insufficient Logging and Monitoring vulnerability is confirmed

---

White Box

Cheat Sheet