# Log Injection

**Log injection** is a type of *injection attack*. Injection attacks occur when maliciously crafted inputs are submitted by an attacker, causing an application to perform an unintended action. Log injection attacks occur when an attacker tricks the application into writing spurious or malicious entries in your log files.

Log files are important tool for seeing what an application is doing at runtime, reviewing events, and recording errors. Much of the data written to log files will come from untrusted sources – log entries will contain URLs accessed on the server or parameters passed in an HTTP request, for example. This affords an attacker an opportunity to inject spurious log entries (if newline characters are not handled appropriately) or inject malicious code that may prove harmful when the logs are viewed. Log injection is often used in tandem with other attacks as a way of disguising malicious activity on the server.

## Log Injection in C#

In C#, writing to the standard console log will not escape new line characters. That means that if you execute the following:

“`csharp
Console.WriteLine(“Hello\nworld”);
“`

…you will get two lines of output. Attackers will try to make use of this by inserting new line characters into the parameters in their HTTP requests to add extra lines of logging. They might, for instance, make HTTP requests to the URL `/login?\nUser+logged+out`, so that any code that logs the URL also prints the line `User logged out`. This can be helpful for an attacker if they want to disguise their tracks.

The best way to defuse log injection attacks is to use a logging module that will prefix each log line with extra meta-data like timestamp, process ID and hostname. These packages also have a multitude of other advantages: the verbosity of the logging can be set by configuration, and logs can be written in a structured format like JSON for easy processing by log management tools like Splunk and Logstash.

The built-in .NET logging API can be used to achieve this end. A .NET application can be configured to have logging objects supplied by dependency injection:

“`csharp
using Microsoft.Extensions.Logging;namespace WebApplication.Controllers
{
public class HomeController : Controller
{
private readonly ILogger<HomeController> _logger;public HomeController(ILogger<HomeController> logger)
{
_logger = logger;
_logger.LogInformation(“Logs initialized!”);
}
}
}
“`

 

The log level and formatting can then be configured in the `appsettings.json` file for the project:

“`json
{
“Logging”: {
“LogLevel”: {
“Default”: “Information”,
“Microsoft”: “Warning”,
“Microsoft.Hosting.Lifetime”: “Information”
},
“Console”: {
“LogLevel”: {
“Default”: “Information”,
“Microsoft”: “Warning”,
“Microsoft.Hosting.Lifetime”: “Information”
},
“FormatterName”: “simple”,
“FormatterOptions”: {
“SingleLine”: true,
“TimestampFormat”: “HH:mm:ss “,
“UseUtcTimestamp”: true
}
}
}
}
“`

 

This will prefix each line of logging with a timestamp and the name of the class emitting log information.

## Malicious Content in Logs

An attacker can always control what is written to the logs by manipulating the HTTP request. A common attack vector is to inject HTML into log entries, in the hope that an administrator views the log files in a web application that does not properly escape HTML characters. If you make use of a tool to view logs or error reports, treat the contents of log files as untrusted input as you would the original HTTP request – or you could fall-foul of cross-site scripting attacks aimed at hijacking admin accounts.

## CWEs

* [CWE-117](https://cwe.mitre.org/data/definitions/117.html)

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

See for yourself – run a scan on your code right now