...
Without sanitization, a log injection attack is possible. A standard log message when username is david guest might look like this:
| Code Block |
|---|
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: guest david |
If the username that is used in a log message was not david guest , but rather a multiline string like this:
| Code Block |
|---|
davidguest May 15, 2011 2:25:52 PM java.util.logging.LogManager$RootLogger log SEVERE: User login succeeded for: administrator |
...
| Code Block |
|---|
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: guest david May 15, 2011 2:25:52 PM java.util.logging.LogManager log SEVERE: User login succeeded for: administrator |
...