Application Security Series 37: log injection

         The parameters entered by the user are directly written to the log file without any verification , Cause attackers to pass special characters （\r \n） Inject new log entries into the log , Destroy the integrity of the system log . for example ：test failed to log in. If test It's controllable , You can input （admin login successfully.\r\n test） Modify the log to ：admin login successfully.\r\n Info:test failed to log in.  Just inject a log . once The integrity of the log cannot be guaranteed , that , Will affect its validity as evidence .

The sample code of log injection is as follows ：

 logger.info("Test for Log injection for special char CRLF \r\n End");
 logger.info("Test for Log injection for special char CR \r End");
 logger.info("Test for Log injection for special char LF \n End");

stay windows Under the system , Run this code , The results are as follows ：

  It can be seen from the displayed results , It was originally a line of logs , But it shows two lines in the log , That is, a line of log is injected . What's strange here is , When using \r when , all \r All previous logs are not displayed . in other words , Whether the attacker can hide his traces through this method ？？？

Line breaks vary from system to system , therefore , You can also filter according to different systems .

One of the ways to prevent Namely , escape , take \r Replace the character with \\r,\n Replace with \\n, This can make \r perhaps \n Handle as characters that are not newlines , The sample code is as follows ：

logger.info("Test for Log injection for special char CRLF \\r\\n End");
logger.info("Test for Log injection for special char CR \\r End");
logger.info("Test for Log injection for special char LF \\n End");

The result is ：

You can see here , take \r and \n Print out as specific characters .

The second method of prevention Is the use Log4j The configuration of automatically handles the processing of the characters that cause the injection , Although the principle will \r Replace with \\r,\n Replace with \\n, however , It's easier to use , For details, please refer to ：  Log4j – Log4j 2 Layouts

have access to %enc{%m}{CRLF} Replace line breaks . The specific configuration is as follows ：

<Appenders>
        <Console name="console" target="SYSTEM_OUT" follow="true">
            <PatternLayout pattern="[%d{yyyy-MM-dd HH:mm:ss.SSS}][%-5p] [%t] [%c{10}#%M:%L] %enc{%m}{CRLF} %n "/>
        </Console>
    </Appenders>

It can also be used log4j The security measures provided by the framework realize automatic replacement .

Another attack against log injection , When the system maintenance personnel check the log , The log may be displayed in web On the page , If the log contains html label , May lead to XSS attack . This point , stay Log4j 2 Layouts It is also described in , have access to HTML Code to achieve , for example ：%enc{%m}{HTML}.