Log Injection

Log injection happens when untrusted data is stored in logs and does not escaped when used by the downstream component or rendered in the UI. An adversary can exploit this vulnerability to execute arbitrary command (see Log4Shell), JavaScript code (see second-order XSS or blind XSS), or insert fake log entries (see CRLF injection).

Remediation

Restrict size and character set of the data that is stored in the logs.
Perform contextual escaping of the logs before usage ore rendering.

Metadata

Severity: medium
Slug: log-injection

CWEs

117: Improper Output Neutralization for Logs
93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

OWASP

A03:2021: Injection

Available Labs

Open Typescript labs in SecDim Play for this vulnerability.

easy

Log Injection.ts

TypeScript Easy Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.