A log injection vulnerability arises when a log entry contains unsanitized user input. A malicious user can insert fake log data and consequently deceive system administrators as to the system's behavior [OWASP 2008]. For example, an attacker might split a legitimate log entry into two log entries by entering a carriage return and line feed (CRLF) sequence to mislead an auditor. Log injection attacks can be prevented by sanitizing and validating any untrusted input sent to a log.
Logging unsanitized user input can also result in leaking sensitive data across a trust boundary. For example, an attacker might inject a script into a log file such that when the file is viewed using a web browser, the browser could provide the attacker with a copy of the administrator's cookie so that the attacker might gain access as the administrator.
Noncompliant Code Example
Without sanitization, a log injection attack is possible. A standard log message when
guest might look like this:
username that is used in a log message is not
guest but rather a multiline string like this:
the log would contain the following misleading data:
Compliant Solution (Sanitized User)
This compliant solution sanitizes the
username before logging it, preventing injection attacks.
The sanitization is done by a dedicated method for sanitizing user names:
Compliant Solution (Sanitized Logger)
This compliant solution uses a text logger that automatically sanitizes its input. A sanitized logger saves the developer from having to worry about unsanitized log messages.
The sanitized text logger takes as delegate an actual logger. We assume the logger outputs text log messages to a file, network, or the console, and each log message has no indented lines. The sanitized text logger sanitizes all text to be logged by indenting every line except the first by two spaces. While a malicious user can indent text by more, a malicious user cannot create a fake log entry because all of her output will be indented, except for the real log output.
Allowing unvalidated user input to be logged can result in forging of log entries, leaking secure information, or storing sensitive data in a manner that violates a local law or regulation.
|The Checker Framework|
|Tainting Checker||Trust and security errors (see Chapter 8)|
Tainted Log (Java)
|CERT.IDS03.TDLOG||Protect against log forging|
CAPEC-93, Log Injection-Tampering-Forging
|Java Platform, Standard Edition 6 API Specification|
IDS03-J. Do not log unsanitized user input LiveLesson