Log Forging

ID

php.log_forging

Severity

high

Resource

Injection

Language

Php

Tags

CWE:117, NIST.SP.800-53, OWASP:2021:A9, PCI-DSS:10.5.2

Description

Improper neutralization of special elements within Logs ('Log Forging').

Rationale

Log forging exploitation occurs when developers log user input directly without proper sanitation or encoding.

This makes it possible for an attacker to add misleading or harmful entries to log files, possibly including new lines or escape characters that result in subsequent log entries being altered or fabricated.

In PHP, consider the following vulnerable example:

<?php
// A simple logging mechanism
$user_input = $_GET['user_input'];
error_log("User action: $user_input");
?>

In this case, if an attacker controls the action parameter, they could input new lines or unexpected characters to forge additional log entries or alter existing logs, thus misleading subsequent log analysis.

Remediation

To remediate issues related to log forging in your applications, follow these key practices:

  1. Sanitize User Input: Always sanitize user input before including it in log entries. This involves stripping or encoding characters that could manipulate log formats, such as new lines or terminator sequences.

  2. Use Encoding Libraries: When applicable, use libraries that automatically handle encoding, making it more difficult for attackers to inject malicious content into logs.

  3. Escape Special Characters: Implement mechanisms to escape or transform special characters within user inputs to prevent them from being interpreted as control characters within the log.

  4. Regular Log Reviews: Regularly review your logs for suspicious patterns or anomalies that may indicate attempts at log forging or other log-related attacks.

By following these practices, you can mitigate the risks of log forging in your applications, thereby maintaining the integrity and trustworthiness of your logging processes.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References