A Study on Forensic Reconstruction of Web Application Attacks in a Controlled Xampp Environment

Abstract

Web applications are an integral part of modern digital systems, supporting activities such as data management, communication, and online services. However, many web applications remain vulnerable to cyber threats due to insecure coding practices, lack of input validation, and weak access control mechanisms. These vulnerabilities can be exploited by attackers to gain unauthorized access, manipulate data, and compromise system integrity. This study focuses on analysing and reconstructing web application attacks using a digital forensic approach in a controlled environment. A vulnerable web application was developed using PHP and MySQL and deployed on a local XAMPP server. The application included basic functionalities such as user authentication and data management, with intentionally introduced security flaws to simulate real-world scenarios. Several controlled attacks, including SQL Injection, authentication bypass, and Insecure Direct Object Reference (IDOR), were performed to evaluate how these vulnerabilities can be exploited. During the attack execution, digital artefacts were generated in the form of Apache server logs and application logs. These logs contained critical information such as timestamps, request methods, IP addresses, and user inputs. The collected log data was systematically analysed to identify abnormal patterns, including repeated login attempts, suspicious input values, and unauthorized access requests. Based on this analysis, the sequence of attacker actions was reconstructed, providing a clear understanding of how the attacks were carried out step-by-step. The results of this study demonstrate that log analysis plays a crucial role in detecting and investigating web application attacks. Even in compromised systems, logs can serve as reliable forensic evidence to trace attacker behaviour. The study highlights the importance of implementing secure coding practices, proper validation mechanisms, and effective logging systems to enhance web application security and support digital forensic investigations.

Introduction

Web applications are widely used in critical services but remain highly vulnerable due to issues like insecure coding, weak authentication, and poor input validation. This leads to common attacks such as SQL Injection, authentication bypass, and Insecure Direct Object Reference (IDOR), which allow attackers to access or manipulate sensitive data.

The study emphasizes that beyond prevention, it is equally important to understand how attacks are detected and reconstructed using digital forensics. Server logs (e.g., Apache logs) and application logs are key sources of evidence, containing details like IP addresses, timestamps, URLs, and request patterns. These logs help investigators trace attacker behavior and reconstruct the timeline of attacks.

The research is conducted through a controlled environment using a deliberately vulnerable PHP-MySQL web application (XAMPP). Attacks are simulated to generate forensic evidence, which is then analyzed to understand how exploitation occurs step by step.

A review of literature shows that:

• SQL injection and XSS are the most studied vulnerabilities.
• Machine learning and deep learning are widely used for detection.
• Log analysis is crucial for intrusion detection and forensic investigation.
• However, most studies focus on detection rather than forensic reconstruction of real attack scenarios.

The identified research gap is the lack of studies that:

• Combine multiple attack types in one framework
• Focus on forensic reconstruction using real log data
• Demonstrate end-to-end attack simulation and investigation

To address this, the study aims to:

• Build a vulnerable web application
• Simulate attacks (SQLi, authentication bypass, IDOR)
• Collect and analyze logs
• Reconstruct attacker actions
• Evaluate the role of logging in security and investigation

Conclusion

This study successfully demonstrated the forensic reconstruction of web application attacks in a controlled environment. A vulnerable web application was developed using PHP and MySQL, incorporating basic functionalities such as user authentication and CRUD operations. The application was intentionally designed with security weaknesses to simulate real-world vulnerabilities.Various controlled attacks, including SQL Injection, authentication bypass, and Insecure Direct Object Reference (IDOR), were performed on the application. The results showed that the absence of proper input validation, weak authentication mechanisms, and lack of access control can lead to serious security breaches. During the execution of these attacks, digital forensic artefacts were generated in the form of Apache server logs and application logs. These logs provided valuable information such as request patterns, timestamps, and user activities. By analysing these artefacts, it was possible to identify suspicious behavior and reconstruct the sequence of attacker actions. The study highlights the importance of log analysis in digital forensic investigations. Even when a system is compromised, logs serve as critical evidence for tracing attacker behavior and understanding how vulnerabilities are exploited.Overall, the research emphasizes the need for secure coding practices, proper validation mechanisms, and effective logging systems to enhance web application security and support forensic investigations.

References

[1] Kumar, L., & Srivastava, P. (2025). SQL injection: A comprehensive review of methods and future directions. International Journal of Scientific Research in Science and Technology, 12(3), 979–985. [2] Mutedi, A., & Tjahjono, B. (2022). Systematic literature review: Preventing SQL injection attacks using OWASP CSR web application firewall. Jurnal Informatika Universitas Pamulang. [3] Bak?r, R. (2025). UniEmbed: Detecting XSS and SQL injection attacks using machine learning techniques. Arabian Journal for Science and Engineering. [4] Chen, Y., Liang, G., & Wang, Q. (2025). Research on SQL injection detection technology based on content matching and deep learning. Computers, Materials & Continua, 84(1), 1145–1167. [5] Al Salmawi, H. M. A. (2025). Critical evaluation of SQL injection security measures in web applications. Wasit Journal for Pure Sciences, 4(1), 104–119. [6] Purbawa, D. P., et al. (2022). An enhanced SQL injection detection using ensemble method. Jurnal Ilmiah Teknologi Informasi. [7] Kritikos, K., et al. (2021). SQL injection detection using deep learning techniques. Journal of Physics: Conference Series. [8] Liu, M., Li, K., & Chen, T. (2020). DeepSQLi: Deep semantic learning for testing SQL injection. arXiv preprint. [9] Dasari, N. S., et al. (2025). Enhancing SQL injection detection and prevention using generative models. arXiv preprint. [10] Yu, H., et al. (2026). Multi-agent honeypot-based dataset for SQL injection detection. arXiv preprint. [11] Perera, I., et al. (2025). Detecting malicious queries using machine learning and NLP techniques. arXiv preprint. [12] Hu, J., Zhao, W., & Cui, Y. (2020). A survey on SQL injection attacks, detection and prevention. In International Conference on Machine Learning and Computing. [13] Aliero, M. S., et al. (2020). Detection of SQL injection vulnerability in web applications. Concurrency and Computation: Practice and Experience. [14] Zhang, X., et al. (2021). Deep learning-based detection of web attacks. IEEE Access. [15] Ahmed, M., et al. (2022). CNN-based detection of SQL injection attacks. Journal of Cybersecurity. [16] Verma, R., et al. (2023). Real-time detection of web application attacks using machine learning. IEEE Transactions on Information Forensics and Security. [17] Singh, A., et al. (2022). Log-based intrusion detection for web applications. International Journal of Computer Applications. [18] Kumar, S., et al. (2021). Analysis of Apache logs for cyber attack detection. Procedia Computer Science. [19] Gupta, P., et al. (2021). Client-side detection of cross-site scripting attacks. Journal of Web Engineering. [20] Singh, R., et al. (2022). Detection of XSS attacks using NLP techniques. International Journal of Information Security. [21] Tadhani, M., et al. (2024). Deep learning-based detection of web vulnerabilities. IEEE Access. [22] Babaey, M., et al. (2025). AI-based framework for web attack detection. Journal of Cybersecurity. [23] Zawoad, S., & Hasan, R. (2020). Digital forensics for web applications. IEEE Security & Privacy. [24] Chen, X., et al. (2023). Forensic investigation of web attacks using log data. Digital Investigation. [25] Singh, K., et al. (2022). Web log analysis for intrusion detection systems. International Journal of Digital Crime and Forensics. [26] Perera, D., et al. (2025). AI-based forensic analysis of web logs. Journal of Cyber Forensics.

Copyright

Copyright © 2026 Shwetha M., Dr. H. R. Bhargava. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.