A log injection vulnerability arises when the original a log entry can be altered to form one or more altogether different entries. Execution of this altered entry may result in log data that is deceptive and fraudulent.Log injection vulnerabilities may result from including untrusted input in log files. For example, a user contains unsanitized user input. A malicious user can insert fake log data and consequently deceive system administrators as to the system's behavior [OWASP 2008]. For example, an attacker might split a legitimate log entry into two log entries by entering a carriage return and line feed (CRLF) sequence , either of which might be misleadingto mislead an auditor. Log injection attacks can be prevented by sanitizing and validating any untrusted input sent to a log.
Logging unsanitized user input can also result in leaking sensitive data across a trust boundary, or storing sensitive data in a manner that is contrary to local law or regulation. See rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization. For example, an attacker might inject a script into a log file such that when the file is viewed using a web browser, the browser could provide the attacker with a copy of the administrator's cookie so that the attacker might gain access as the administrator.
Noncompliant Code Example
This noncompliant code example logs the user's login name when an invalid request is received. No input sanitization is performed untrusted data from an unauthenticated user without data sanitization.
Code Block | ||
---|---|---|
| ||
if (loginSuccessful) {
logger.severe("User login succeeded for: " + username);
} else {
logger.severe("User login failed for: " + username);
}
|
Without sanitization, a log injection attack is possible. A standard log message when username
is "david" guest
might look like this:
Code Block |
---|
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: guest david |
If the username
that is used in a log message was is not david
, guest
but rather a multiline string like this:
Code Block |
---|
guest david May 15, 2011 2:25:52 PM java.util.logging.LogManager$RootLogger log SEVERE: User login succeeded for: administrator |
the log would contain the following misleading data:
Code Block |
---|
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: davidguest May 15, 2011 2:25:52 PM java.util.logging.LogManager log SEVERE: User login succeeded for: administrator |
Compliant Solution (Sanitized User)
This compliant solution sanitizes the username
input before before logging it, preventing injection . Refer to rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.attacks.
Code Block | ||
---|---|---|
| ||
if (loginSuccessful) {
logger.severe("User login succeeded for: " + sanitizeUser(username));
} else {
logger.severe("User login failed for: " + sanitizeUser(username));
} |
The sanitization is done by a dedicated method for sanitizing user names:
Code Block | ||
---|---|---|
| ||
if (!public String sanitizeUser(String username) { return Pattern.matches("[A-Za-z0-9_]+", username)) { // Unsanitized username logger.severe("User login failed for ? username : "unauthorized user"); } |
Compliant Solution (Sanitized Logger)
This compliant solution uses a text logger that automatically sanitizes its input. A sanitized logger saves the developer from having to worry about unsanitized log messages.
Code Block | ||
---|---|---|
| ||
Logger sanLogger = new SanitizedTextLogger(logger); else if (loginSuccessful) { loggersanLogger.severe("User login succeeded for: " + username); } else { loggersanLogger.severe("User login failed for: " + username); } |
The sanitized text logger takes as delegate an actual logger. We assume the logger outputs text log messages to a file, network, or the console, and each log message has no indented lines. The sanitized text logger sanitizes all text to be logged by indenting every line except the first by two spaces. While a malicious user can indent text by more, a malicious user cannot create a fake log entry because all of her output will be indented, except for the real log output.
Code Block | ||
---|---|---|
| ||
class SanitizedTextLogger extends Logger { Logger delegate; public SanitizedTextLogger(Logger delegate) { super(delegate.getName(), delegate.getResourceBundleName()); this.delegate = delegate; } public String sanitize(String msg) { Pattern newline = Pattern.compile("\n"); Matcher matcher = newline.matcher(msg); return matcher.replaceAll("\n "); } public void severe(String msg) { delegate.severe(sanitize(msg)); } // .. Other Logger methods which must also sanitize their log messages } |
Risk Assessment
Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that is contrary to violates a local law or regulation.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
IDS03-J |
Medium |
Probable |
Medium | P8 | L2 |
Related Guidelines
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
The Checker Framework |
| Tainting Checker | Trust and security errors (see Chapter 8) | ||||||
CodeSonar |
| JAVA.IO.TAINT.LOG | Tainted Log (Java) | ||||||
Fortify | Log_Forging | Implemented | |||||||
Klocwork |
| SVLOG_FORGING | Implemented | ||||||
Parasoft Jtest |
| CERT.IDS03.TDLOG | Protect against log forging |
Related Guidelines
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="45600e22-a548-4f6b-9be5-6f14e3850272"><ac:plain-text-body><![CDATA[
[ISO/IEC TR 24772:2010
http://www.aitcnet.org/isai/]
"Injection [RST]"
]]></ac:plain-text-body></ac:structured-macro>
Injection [RST] |
Improper |
neutralization of line delimiters |
Improper |
neutralization of |
escape, |
meta, or |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3b3b7b02-3b0b-4f71-9c2e-58ebb4c1daff"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> |
control sequences | |
MITRE CAPEC | CAPEC-93, Log Injection-Tampering-Forging |
Bibliography
...
IDS03-J. Validate all data passed in through environment variables and non-default properties IDS04-J. Limit the size of files passed to ZipInputStream