EnglishContext
Web applications use log files to record each transaction and maintain a history of events. These files are useful for debugging, data collection, and performance optimization. However, if these logs are manipulated, it can lead to several problems.
Log Injection (or Log Forgery) is a vulnerability that occurs when unvalidated and unreliable entries are printed in the system log files. This allows an attacker to insert malicious data and false entries in the logs, which can eventually corrupt the file. Corrupted log files can be used to hide a hacking attempt and allow an attacker to access the system without a password. Since this attack targets the operating system and uses standard tools, it is very difficult to detect.
When not handled properly, log falsification attacks can result in identity theft and/or financial loss. Just like phishing emails that redirect users to fake websites, log falsification attacks can lead users to access false login pages.
For example, a web application may record unsuccessful login attempts by users in its logs.
String id = request.getParameter("id");
try {
int user = Integer.parseInt(username);
log.info("Successful sign in, ID=" + value);
}
catch (NumberFormatException) {
log.info("Failed sign in, ID=" + value);
}
When a user exceeds the limit of unsuccessful attempts, the monitoring system generates an alert and records the information in a log file. Here's an example of a log:
May 12:2022:10:43:10: Failed Login, ID=sha
An attacker attempting to force the system can exploit this feature by falsifying the logs. By inserting false records, such as successful login events, the attacker can ensure that the system is reset before the limit of unsuccessful attempts is reached. This vulnerability can be used to bypass the security measures in place and illegally gain access to the system.
Sep%2022%3A2018%3A01%3A07%3A13%3A%20Successful%20Login%2C%20ID%3Dsha
equals :
Sep 09:2022:01:12:13 : Successful sign in, ID=sha
If user inputs are not validated or sanitized, falsified logs can easily render the surveillance system inoperative. In the previous case, there will be two logs recorded, and if the falsified records are not detected, the attack can succeed.
Sep 09:2022:01:12:13 : Échec de la connexion, Id=sha
Sep 09:2022:01:13:13 : Connexion réussie, Id=sha
Context
The use of a cloud-based logging application that directly renders logs in the browser can create an XSS vulnerability and other types of attacks. This method can expose cookies and other sensitive information of the administrative user to an attacker. Therefore, if the logs are not properly protected, they can be used to compromise the security of the system and allow an attacker to access sensitive information.
Prevention
It is recommended to perform input validation on both the server and client sides to prevent log falsification attacks. Suspicious characters can be sanitized and replaced to avoid injection of malicious code. Additionally, the logging application used should be carefully examined to detect any vulnerability and ensure the security of the system.
