当前位置:网站首页>应用安全系列之三十七:日志注入
应用安全系列之三十七:日志注入
2022-07-06 05:29:00 【jimmyleeee】
用户输入的参数未做任何验证直接写入日志文件,导致攻击者可以通过特殊字符(\r \n)在日志中注入新的日志条目,破坏系统日志的完整性。例如:test failed to log in. 如果test是可以控制的,就可以通过输入(admin login successfully.\r\n test)将日志修改为:admin login successfully.\r\n Info:test failed to log in. 就注入了一条日志。 一旦 日志的完整性没法保障,那么,会影响它作为证据的有效性。
日志注入的示例代码如下:
logger.info("Test for Log injection for special char CRLF \r\n End");
logger.info("Test for Log injection for special char CR \r End");
logger.info("Test for Log injection for special char LF \n End");
在windows系统下,运行此代码,显示的结果如下:
从显示的结果可以看出,原本是一行日志的,却在日志中显示了两行,也就是注入了一行日志。这里比较奇怪的是,当使用\r时,所有\r之前的日志全部都没有显示。也就是说,攻击者是否可以通过此方法隐藏自己的痕迹???
不同系统的换行符也不一样,所以,也可以根据不同的系统进行针对性的过滤。
操作系统 | 文件换行符 |
Windows | \r\n |
Linux | \n |
Mac | \r\n |
预防的方法之一就是,转义,将\r字符替换为\\r,\n替换为\\n,这一样就可以将\r或者\n处理为不是换行的字符,示例代码如下:
logger.info("Test for Log injection for special char CRLF \\r\\n End");
logger.info("Test for Log injection for special char CR \\r End");
logger.info("Test for Log injection for special char LF \\n End");
显示的结果是:
可以看到这里,将\r和\n作为具体字符打印出来。
预防的方法之二就是利用Log4j的配置自动处理这些导致注入的字符的处理,虽然原理也是将\r替换为\\r,\n替换为\\n,但是,使用起来更简单,具体可以参考: Log4j – Log4j 2 Layouts
可以使用%enc{%m}{CRLF}对换行符进行替换处理。具体配置如下:
<Appenders>
<Console name="console" target="SYSTEM_OUT" follow="true">
<PatternLayout pattern="[%d{yyyy-MM-dd HH:mm:ss.SSS}][%-5p] [%t] [%c{10}#%M:%L] %enc{%m}{CRLF} %n "/>
</Console>
</Appenders>
这样也可以使用log4j框架提供的安全措施实现自动替换。
针对日志注入的另外一种攻击,就是在系统维护人员查看日志时,可能会将日志显示在web页面上,如果日志中含有html标签,可能导致XSS攻击。这一点,在Log4j 2 Layouts中也有描述,可以使用HTML编码来实现,例如:%enc{%m}{HTML}.
边栏推荐
- 2022 half year summary
- Review of double pointer problems
- HAC cluster modifying administrator user password
- Driver development - hellowdm driver
- [QNX Hypervisor 2.2用户手册]6.3.3 使用共享内存(shmem)虚拟设备
- The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
- Collection + interview questions
- Steady, 35K, byte business data analysis post
- Excel转换为Lua的配置文件
- Unity Vector3. Use and calculation principle of reflect
猜你喜欢
【OSPF 和 ISIS 在多路访问网络中对掩码的要求】
GAMES202-WebGL中shader的編譯和連接(了解向)
Summary of deep learning tuning tricks
CUDA11.1在线安装
浅谈镜头滤镜的类型及作用
Pix2pix: image to image conversion using conditional countermeasure networks
Talking about the type and function of lens filter
Three methods of Oracle two table Association update
用StopWatch 统计代码耗时
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
随机推荐
February 12 relativelayout
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
28io stream, byte output stream writes multiple bytes
Self built DNS server, the client opens the web page slowly, the solution
CUDA11.1在线安装
Deep learning -yolov5 introduction to actual combat click data set training
The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
毕业设计游戏商城
nacos-高可用seata之TC搭建(02)
【云原生】3.1 Kubernetes平台安装KubeSpher
MySQL advanced learning summary 9: create index, delete index, descending index, and hide index
01. Project introduction of blog development project
SQLite add index
Zoom and pan image in Photoshop 2022
[machine learning notes] univariate linear regression principle, formula and code implementation
Graduation design game mall
Can the feelings of Xi'an version of "Coca Cola" and Bingfeng beverage rush for IPO continue?
MySQL if and ifnull use
UCF(2022暑期团队赛一)
Talking about the type and function of lens filter