JVM Log Forging Sanitization with Slf4j
Log Forging is one of the common security issues that occur in the JVM World. According to OWASP, Log Forging is one of the major attack techniques. In this article we’ll look into how can we prevent and sanitize the input to log files.
Log forging vulnerabilities occur when data enters an application from an untrusted source or the data is written to an application/system log file by some external entity. As per OWASP Guidelines Log forging or injection is being used as one of the common techniques for writing unvalidated user inputs to log files so that it can allow an attacker to forge log entries or inject malicious content into the logs.
Example for Log Manipulation
Consider, that the user is entering the amount for a payment request from the Web application.
Once the request get progress following logs will appear in the console
In any case, attackers enter the input as following 1000 \n\n12:48:29.108 [main] INFO com.example.logforging.LogForgingApplication [main] INFO Amount reversed successfully”, then the log will be like this:
So, intentionally attacker can be able to manipulate the log with a corrupted value.
How can we prevent Log Forging?
- Introduce Validation for the Inputs
One of the easiest solutions is always validating the input before logging. One problem with this approach is that we will have to validate a lot of data at runtime which will impact the overall system performance.
Also, if the validation fails, the data will not be logged and become lost forever which is often not an acceptable scenario.
2.ESAPI
Using ESAPI is the most shared and advisable technique in this context. Here, each and every user data is encoded before writing into the logs. ESAPI is an open-source API available from OWASP:
We can encode the data with the following two methods:
- Encode the Single value with Pre-Defined methods provided by ESAPI.
2. Introduce the Custom method
When we have multiple inputs for the request we can use Encoder Interface to encode the data.
You will get the following logs once you add the encode using ESAPI.
The following things should be considered when we use ESAPI.
You should add two properties files inside the resources folder.
Create .esapi Package inside the resources folder and add ESAPI.properties and validation.properties files inside the packages.
If you haven’t added the properties files Application will throw a Run-Time Exception. You can find the Properties files here
You should uncomment the following line from the ESAPI.properties file
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Lombok Maven Dependency
You can use @Slf4j Annotation in your Application instead of this line of code
private final Logger logger = LoggerFactory.getLogger(LogForgingApplication.class);Then Your Code Base will be like this:
You can use the following dependency to use Slf4j.
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<optional>true</optional>
</dependency>Conclusion
Using the Validation for Logs will be good practice for the Application. You can prevent the untrusted source or the data is written to an application log file by some external entity.
Here you can find the Source Code on Github.
