Reputation: 2951
Security flaws in code with veracode tool
i ran my application for security compilance in veracode tool.
And whenever the tool find any logging it detected as a flaw in code
And the flaw says below quote
Improper Output Neutralization for Logs
Description
Function call could result in a log forging attack. Writing unsanitized user-supplied data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible.**
In my logs i do print the xml coming from other interface ther is no GUI associated with the application so how i can neutralize this flaw.
Please let me know if this not the right forum to raise this question. Thanks
Upvotes: 3
Views: 5124
Answers (4)
Reputation: 31
we should validate the data which is coming from user, because the user/attacker entered data can have junk characters.
Solution : just pass the user entered data to below library. HtmlUtils.htmlEscape(input)
Upvotes: 0
Reputation: 11
This is all good guidance. There are also direct links to flaw specific info from OWASP and other sources in the Triage Flaws view in the Veracode platform.
Upvotes: 1
Reputation: 147164
So there are two mains problems with dumping untrusted data into log files.
Firstly, record splitting (similar to HTTP header splitting). The untrusted input puts in a line break (or similar, depending on the format of the log file) followed by completely fake entries.
Secondly, if you view the logs with a web browser with the log text just dumped in, then you are open to XSS attacks. This has, for example, been used to survey which browsers script kiddies are using (Opera was quite popular).
So, treat logs as other formats susceptible to injection attacks (HTML, XML, SQL, HTTP headers, etc). You need to make sure you are adding a whitelist of possible characters. You could write methods to do this and sanitise the input before each log call. Better, is to write a logger which outputs safe text for any input (even if it has special characters, control characters, illegal surrogate pairs, etc).
Upvotes: 3
Reputation: 15693
The problem appears to be unsanitized user-supplied data. You should clean the incoming data to prevent such things as SQL injection or scripting attacks by replacing significant characters, & -> & and so on.
You should also make it obvious that the log entry contains external, and possibly corrupt or misleading, data. Perhaps something as simple as
String logText = "User " + userID + "supplied: >>" + userData + "<<";
That way it is clear what is yours and what is from the external user.
Upvotes: 1
Related Questions
- How to fix Trust Boundary Violation flaw in Java Web application
- SQL injection vulnerability veracode c#
- security flaw - veracode report - crlf injection
- How to fix Information Exposure Through Sent Data flaw in Java Web application
- Veracode vulnerable Cryptographic issue
- Java security vulnerability OS Injection Veracode
- Veracode Rejecting Encryption Algorithm - Which Should I be using?
- Trust Boundary Violation - Veracode flaw
- Java code, Being Secure
- Veracode testing , Detecting and fixing flaws