A log injection vulnerability arises when a log entry contains unsanitized user input. A malicious user can insert fake log data and consequently deceive system administrators as to the system's behavior [OWASP 2008]. For example, an attacker might split a legitimate log entry into two log entries by entering a carriage return and line feed (CRLF) sequence to mislead an auditor. Log injection attacks can be prevented by sanitizing and validating any untrusted input sent to a log.
Logging unsanitized user input can also result in leaking sensitive data across a trust boundary. For example, an attacker might inject a script into a log file such that when the file is viewed using a web browser, the browser could provide the attacker with a copy of the administrator's cookie so that the attacker might gain access as the administrator.
...
This noncompliant code example logs untrusted data from an unauthenticated user without data sanitization.
| Code Block | ||
|---|---|---|
| ||
if (loginSuccessful) {
logger.severe("User login succeeded for: " + username);
} else {
logger.severe("User login failed for: " + username);
}
|
...
If the username that is used in a log message was is not guest , but rather a multiline string like this:
...
Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that violates a local law or regulation.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
IDS03-J | Medium | Probable | Medium | P8 | L2 |
Automated Detection
| Tool | Version | Checker | Description |
|---|---|---|---|
| Fortify | Log_Forging | Implemented | |
| Klocwork | SVLOG_FORGING | Implemented |
...
Injection [RST] | |
CWE-144, Improper neutralization of line delimiters | |
| MITRE CAPEC | CAPEC-93: , Log Injection-Tampering-Forging |
...
[API 2006] | Java Platform, Standard Edition 6 API Specification |
| [Seacord 2015] |
...