Page History

...

This compliant solution uses a text logger that automatically sanitizes its input. A sanitized logger saves the developer from having to worry about unsanitized log messages.

Code Block

bgColor	#ccccff

Logger sanLogger = new SanitizedTextLogger(logger);

if (loginSuccessful) {
  sanLogger.severe("User login succeeded for: " + username);
} else {
  sanLogger.severe("User login failed for: " + username);
}

...

Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that violates a local law or regulation.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
IDS03-J	Medium	Probable	Medium	P8	L2

Automated Detection

Tool

Version

Checker

Description

The Checker Framework

Include Page

	The Checker Framework_V
	The Checker Framework_V

Tainting Checker

Trust and security errors (see Chapter 8)

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

JAVA.IO.TAINT.LOG

Tainted Log (Java)

Fortify

	Log_Forging	Implemented
Klocwork

Include Page

	Klocwork_V
	Klocwork_V

SVLOG_FORGING

Implemented

Parasoft Jtest

Include Page

java:

	Parasoft_V

java:

	Parasoft_V

BD-SECURITY-

CERT.IDS03.TDLOG

Implemented

Protect against log forging

Related Guidelines

ISO/IEC TR 24772:2013	Injection [RST]
MITRE CWE	CWE-144, Improper neutralization of line delimiters CWE-150, Improper neutralization of escape, meta, or control sequences CWE-117, Improper Output Neutralization for Logs
MITRE CAPEC	CAPEC-93, Log Injection-Tampering-Forging

Bibliography

[API 2006]	Java Platform, Standard Edition 6 API Specification
[OWASP 2008]


[Seacord 2015]	Image Modified IDS03-J. Do not log unsanitized user input LiveLesson

...

Space shortcuts

Page tree

Versions Compared

Old Version 122

New Version Current

Key

Automated Detection

Related Guidelines

Bibliography