More About Logging

As you can tell by now, log-spoofing can become an issue when users try to spoof logs. There are various ways to do this other than a form-post.

Think of URL parameters or crafted JSON payloads for instance.

• apply proper input-sanitization

• make sure you can establish source authenticity and implement integrity controls to detect log-tampering.

• make sure that a user cannot inject logs from any channel

• make sure that the log storage is protected

But there is more to log security than just sanitization against spoofing attacks. Let’s have a look at logging sensitive information.

Logging Sensitive Information

In the previous exercise, we saw only the username passing by, but no password. Why? Because we want to make sure that an application log does not contain any sensitive information. Let’s make sure that when our logs get compromised, we do not have to fear authentication information to be reused.

Similarly, we should not log any other sensitive information, such as symmetric or private keys, access tokens, and such.

Logging Personal Information

Be careful with logging personal information. For instance: do not log bank account details, personally identifiable information to which a user did not consent having it logged. Do not log facts that can establish the identity of the subject being logged.

What you basically want to prevent, is that people use the logs to profile people or spy on them. You want to protect the privacy of the subjects using your system.

Special case: Access Logs

One special case is always the access logs offered by your ingress and/or application server. These logs should contain at least a few things: Where the request came from, when the request was made, and possibly what the response code was. Additional information can be shared in an access log, depending on the security of the log. For instance: you don’t want to share the raw request in the access logs to safeguard the privacy of your users.

And here the problem often starts: access logs sometimes capture the full URL used for the request. This can include sensitive URL parameters. Therefore: be careful with what you put in the URL as parameters & let’s make sure that you do not log those in an openly accessible log.

Read more

Want to read up on more about logging? Have a look at:

• The OWASP Logging Cheat sheet

• GDPR article at Wikipedia