Log Forging

go.log_forging

Severity

high

Resource

Injection

Language

Description

Improper neutralization of special elements within Logs ('Log Forging').

Rationale

Log forging exploitation occurs when developers log user input directly without proper sanitation or encoding.

This makes it possible for an attacker to add misleading or harmful entries to log files, possibly including new lines or escape characters that result in subsequent log entries being altered or fabricated.

For example, consider the following Golang code:

package main

import (
	"log"
	"net/http"
)

func handler(w http.ResponseWriter, req *http.Request) {
	// Check if 'username' is present in the URL query
	usernames, ok := req.URL.Query()["username"]

	if !ok || len(usernames[0]) < 1 {
		log.Println("Username not provided")
		return
	}

	username := usernames[0]
	log.Printf("User %s logged in.\n", username)

	// Respond back to the client
	w.Write([]byte("Welcome, " + username))
}

Here, the user-supplied user_input is directly logged without validation. An attacker can include newline characters or log-related control characters to inject unexpected log entries.

Remediation

To remediate issues related to log forging in your applications, follow these key practices:

Sanitize User Input: Always sanitize user input before including it in log entries. This involves stripping or encoding characters that could manipulate log formats, such as new lines or terminator sequences.
Use Encoding Libraries: When applicable, use libraries that automatically handle encoding, making it more difficult for attackers to inject malicious content into logs.
Escape Special Characters: Implement mechanisms to escape or transform special characters within user inputs to prevent them from being interpreted as control characters within the log.
Regular Log Reviews: Regularly review your logs for suspicious patterns or anomalies that may indicate attempts at log forging or other log-related attacks.

By following these practices, you can mitigate the risks of log forging in your applications, thereby maintaining the integrity and trustworthiness of your logging processes.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-117 : Improper Output Neutralization for Logs.
https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html