Log Forging

ID

java.log_forging

Severity

high

Resource

Injection

Language

Java

Tags

CWE:117, NIST.SP.800-53, OWASP:2021:A9, PCI-DSS:10.5.2

Description

Improper neutralization of special elements within Logs ('Log Forging').

Rationale

Log forging exploitation occurs when developers log user input directly without proper sanitation or encoding.

This makes it possible for an attacker to add misleading or harmful entries to log files, possibly including new lines or escape characters that result in subsequent log entries being altered or fabricated.

Consider a simple Java application example demonstrating this vulnerability:

import java.util.logging.Level;
import java.util.logging.Logger;

public class UserInputLogger {
    private static final Logger logger = Logger.getLogger(UserInputLogger.class.getName());

    public void logUserAction(String userId, String action) {
        // Potential Vulnerability: Logging raw user input
        logger.log(Level.INFO, "User {0} performed action: " + action, new Object[]{userId});
    }
}

In this case, if an attacker controls the action parameter, they could input new lines or unexpected characters to forge additional log entries or alter existing logs, thus misleading subsequent log analysis.

Remediation

To remediate issues related to log forging in your applications, follow these key practices:

  1. Sanitize User Input: Always sanitize user input before including it in log entries. This involves stripping or encoding characters that could manipulate log formats, such as new lines or terminator sequences.

  2. Use Encoding Libraries: When applicable, use libraries that automatically handle encoding, making it more difficult for attackers to inject malicious content into logs.

  3. Escape Special Characters: Implement mechanisms to escape or transform special characters within user inputs to prevent them from being interpreted as control characters within the log.

  4. Regular Log Reviews: Regularly review your logs for suspicious patterns or anomalies that may indicate attempts at log forging or other log-related attacks.

By following these practices, you can mitigate the risks of log forging in your applications, thereby maintaining the integrity and trustworthiness of your logging processes.

A sanitization would look like this:

public void logUserAction(String userId, String action) {
   // Sanitizing user input by encoding or removing potentially harmful characters
   String sanitizedAction = action.replaceAll("[\\r\\n]", "_");
   logger.log(Level.INFO, "User {0} performed action: {1}", new Object[]{userId, sanitizedAction});
}

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References