Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What is Log Forging
  • One Simple Example
  • Real-world Occurrences of Log Forging
  • Fixing Log Forging
  • Code Samples

Was this helpful?

  1. Fixing Guides

Log Forging

Learn how to prevent log forging vulnerabilities and log injection attacks with examples and best practices. Protect your logs from tampering and security threats.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Log Forging

Log Forging, also known as Log Injection, is a security vulnerability that allows attackers to manipulate log files, leading to misleading entries, log poisoning, or even system exploits. This guide covers log forging vulnerabilities, examples, prevention methods, and how to fix log injection attacks effectively.

The vulnerability occurs when an application writes untrusted user input to log files without proper validation or encoding.

An attacker can exploit this vulnerability by injecting malicious content into logs, which can lead to:

  • Insertion of fake log entries

  • Manipulation of log data

  • Cross-site scripting (XSS) if logs are displayed in web interfaces

  • Log file corruption

  • Potential system compromise through log analysis tools

One Simple Example

Consider this common logging scenario:

logger.info("User login attempt for username: " + username);

Assuming the value of username comes from user's input, an attacker could provide this input as the username:

admin%0D%0ALogin successful

%0D%0A is the new-line character, resulting in the following log entry:

User login attempt for username: admin 
Login successful

This creates a false log entry suggesting a successful login, potentially misleading security analysts or automated log monitoring systems.

Real-world Occurrences of Log Forging

In December 2021, a critical vulnerability known as Log4Shell was discovered in Apache Log4j, a widely used Java-based logging framework. This vulnerability allowed attackers to perform log injection by crafting malicious input that, when logged by the application, could lead to remote code execution.

The vulnerability had a widespread impact, affecting numerous applications and services that utilized Log4j for logging. Exploitation of this vulnerability allowed attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromises.

A log forging vulnerability in Spring Security allowed an attacker to inject malicious characters into authentication logs, potentially altering log records or bypassing security checks.

Impact: Attackers could manipulate logs to make it appear as if a different user performed specific actions, covering their tracks during exploitation.

Fixing Log Forging

The most effective way to prevent Log Forging is to properly encode or sanitize all user-supplied data before writing it to log files. This can be achieved by:

  1. Using proper encoding for special characters

  2. Removing or replacing newline characters

  3. Utilizing built-in logging framework security features

  4. Implementing input validation

Code Samples

Vulnerable Code

String userInput = request.getParameter("username");
logger.info("User input: " + userInput);

Fixed Code

String userInput = request.getParameter("username");
String sanitized = userInput.replace('\n', '_').replace('\r', '_');
logger.info("User input: {}", sanitized);

Fix Explanation

The vulnerable code directly writes user input to logs. The fix sanitizes the input by replacing newline characters. Uses proper logging framework placeholder to prevent string concatenation. Ensures log entries cannot be split across multiple lines.

Vulnerable Code

console.log("User action: " + userInput);

Fixed Code

const sanitized = userInput.replace(/[\n\r\t]/g, '_');
console.log("User action: %s", sanitized);

Fix Explanation

The vulnerable code directly logs user input. The fix removes all newline and tab characters. Uses proper string formatting instead of concatenation. Prevents log injection through special characters.

Vulnerable Code

logging.info("User input: " + user_input)

Fixed Code

import html
sanitized = user_input.replace('\n', '_').replace('\r', '_')
logging.info("User input: %s", html.escape(sanitized))

Fix Explanation

The vulnerable code concatenates unvalidated input. The fix escapes HTML and removes newline characters. Uses proper string formatting. Prevents both log injection and XSS in web interfaces.

Vulnerable Code

_logger.LogInformation("User input: " + userInput);

Fixed Code

var sanitized = userInput.Replace("\n", "_").Replace("\r", "_");
_logger.LogInformation("User input: {UserInput}", sanitized);

Fix Explanation

The vulnerable code uses string concatenation with raw input. The fix sanitizes input by replacing newline characters. Uses structured logging with named parameters. Prevents log injection attacks.

Vulnerable Code

error_log("User input: " . $userInput);

Fixed Code

$sanitized = str_replace(["\n", "\r"], '_', $userInput);
error_log(sprintf("User input: %s", $sanitized));

Fix Explanation

The vulnerable code directly concatenates user input. The fix removes newline characters. Uses proper string formatting. Ensures log integrity is maintained.

Vulnerable Code

syslog(LOG_INFO, "User input: %s", userInput);

Fixed Code

string sanitized = regex_replace(userInput, regex("\n|\r"), "_");
syslog(LOG_INFO, "User input: %s", sanitized.c_str());

Fix Explanation

The vulnerable code logs raw user input. The fix sanitizes input using regex replacement. Removes potentially dangerous characters. Maintains log file structure integrity.

PreviousPath TraversalNextXSS

Last updated 2 months ago

Was this helpful?

Log4Shell Vulnerability in Apache Log4j ()

Reference:

Spring Security Log Injection ()

CVE-2021-44228
Log4Shell - Wikipedia
CVE-2021-22060