A log injection vulnerability arises when a log entry contains unsanitized user input. A malicious user can insert fake log data and consequently deceive system administrators as to the system's behavior [OWASP 2008]. For example, a user might split a legitimate log entry into two log entries by entering a carriage return and line feed (CRLF) sequence, either of which might be misleading. Log injection attacks can be prevented by sanitizing and validating any untrusted input sent to a log.
Logging unsanitized user input can also result in leaking sensitive data across a trust boundary. For example, an attacker might inject a script into the log file such that, if viewed using a web browser, could provide the attacker with a copy of the operator/administrator's cookie so that he might gain access as that user. See IDS00-J. Prevent SQL Injection for more details on input sanitization.
Noncompliant Code Example
This noncompliant code example logs untrusted data from an unauthenticated user without data sanitization.
if (loginSuccessful) { logger.severe("User login succeeded for: " + username); } else { logger.severe("User login failed for: " + username); }
Without sanitization, a log injection attack is possible. A standard log message when username
is guest
might look like this:
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: guest
If the username
that is used in a log message was not guest
, but rather a multiline string like this:
guest May 15, 2011 2:25:52 PM java.util.logging.LogManager$RootLogger log SEVERE: User login succeeded for: administrator
the log would contain the following misleading data:
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: guest May 15, 2011 2:25:52 PM java.util.logging.LogManager log SEVERE: User login succeeded for: administrator
Compliant Solution
This compliant solution just validates the username
input before logging it, preventing injection attacks.
if (!Pattern.matches("[A-Za-z0-9_]+", username)) { // Unsanitized username logger.severe("User login failed for unauthorized user"); } else if (loginSuccessful) { logger.severe("User login succeeded for: " + username); } else { logger.severe("User login failed for: " + username); }
Risk Assessment
Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that violates a local law or regulation.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
IDS03-J | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
Fortify | Log_Forging | Implemented | |
Klocwork | SVLOG_FORGING | Implemented |
Related Guidelines
Injection [RST] | |
CWE-144, Improper neutralization of line delimiters | |
MITRE CAPEC | CAPEC-93: Log Injection-Tampering-Forging |
Bibliography