A log injection vulnerability arises when a log entry contains unsanitized user input. A malicious user can insert fake log data and consequently deceive system administrators as to the system's behavior (OWASP 2008). For example, a user might split a legitimate log entry into two log entries by entering a carriage return and line feed (CRLF) sequence, either of which might be misleading. Log injection attacks can be prevented by sanitizing and validating any untrusted input sent to a log.
Logging unsanitized user input can also result in leaking sensitive data across a trust boundary, or storing sensitive data in a manner that is contrary to violates local law or regulation. See rule IDS00-J . Sanitize untrusted data passed across a trust boundary for more details on input sanitization. For instanceexample, if a user is able to can inject an unencrypted credit card number into a log file, the system could violate PCI DSS regulations (PCI DSS Standard2010).
Noncompliant Code Example
...
Without sanitization, a log injection attack is possible. A standard log message when username is "david" might look like this:
| Code Block |
|---|
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: david |
...
This compliant solution sanitizes the username input before logging it, preventing injection attacks. Refer to rule IDS00-J . Sanitize untrusted data passed across a trust boundary for more details on input sanitization.
...
Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that is contrary to violates a local law or regulation.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS03-J | medium | probable | medium | P8 | L2 |
Related Guidelines
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ca87d5b5bc061d27-40fc4f57-400d47b5-b07bbd6c-3ea5867661112d94aac5eda8"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | " Injection [RST] " | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-144, ". Improper Neutralization of Line Delimiters " | ||||
| CWE-150, ". Improper Neutralization of Escape, Meta, or Control Sequences " |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8ac2842122c8d1a4-8cc69b23-4c794098-83b28d81-c42bd8a1578a5ee52766b75e"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e1e67a38cd49964c-9b509acf-4c7b46e9-bb86bcdc-4705155c47d2cd51b118a457"><ac:plain-text-body><![CDATA[ | [[OWASP 2008 | AA. Bibliography#OWASP 08]] | [Log Injection | https://www.owasp.org/index.php/Log_injection] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="241c1f4f1453eb9c-bcaf8d2b-48d24b6b-b708a696-0a69ff5eba0a71d49c5a05d7"><ac:plain-text-body><![CDATA[ | [[PCI DSS Standard | https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml]] | ]]></ac:plain-text-body></ac:structured-macro> |
...