Logging Vulnerabilities

CWE-117, CWE-221, CWE-223, CWE-532, CWE-778

Logging is a concept that most developers already use for debugging and diagnostic purposes. Security logging is an equally basic concept: to log security information during the runtime operation of an application.

Monitoring is the live review of application and security logs using various forms of automation. The same tools and patterns can be used for operations, debugging and security purposes.

The goal of security logging is to detect and respond to potential security incidents.

Real-World Attack Scenarios

Scenario 1: Log Injection via Unvalidated Input (CWE-117)

An application logs user login attempts without sanitization:

import logging

def log_login_attempt(username, success):
    # VULNERABLE - User input not sanitized
    if success:
        logging.info(f"User {username} logged in successfully")
    else:
        logging.info(f"Failed login attempt for user {username}")

The vulnerability:

User-controlled input written directly to logs:

Newline characters (\n) not filtered
Attacker can inject fake log entries
Can hide malicious activity
Can frame other users
Can corrupt log files

The attack:

Attacker enters username with embedded newlines:

Username: admin\nUser admin logged in successfully\nUser attacker

Resulting log entry:

2024-01-15 10:23:45 Failed login attempt for user admin
2024-01-15 10:23:45 User admin logged in successfully
2024-01-15 10:23:45 User attacker

Looks like admin logged in successfully, hiding the failed attempt.

Or inject malicious entries:

Username: admin\n[2024-01-15 10:25:00] CRITICAL Security scan completed - no issues found\n

Resulting log:

2024-01-15 10:23:45 Failed login attempt for user admin
2024-01-15 10:25:00 CRITICAL Security scan completed - no issues found

Attacker hides real attack by injecting fake "all clear" message.

Advanced attack - Log forging:

Username: admin\n[2024-01-15 10:30:00] User victim performed unauthorized action\n[2024-01-15 10:30:01] Suspicious activity detected from IP 192.168.1.100\n

Attacker frames another user for malicious activity.

Result:

Forged audit trail
Hidden attack evidence
Framing innocent users
Corrupted forensic data
Investigation misdirection

Finding it: Test login forms and any logged input. Try \n, \r\n, null bytes. Check if log entries can be injected.

Exploit:

# Test log injection
curl -X POST http://target.com/login \
  -d "username=admin%0AUser admin logged in successfully%0A" \
  -d "password=test"

# Check logs for injected entry

The fix:

Sanitize all user input before logging:

import logging
import re

def sanitize_log_input(text):
    # Remove newlines and control characters
    return re.sub(r'[\n\r\t\x00-\x1f]', '', text)

def log_login_attempt(username, success):
    safe_username = sanitize_log_input(username)
    if success:
        logging.info(f"User {safe_username} logged in successfully")
    else:
        logging.info(f"Failed login attempt for user {safe_username}")

Or use structured logging (JSON):

import logging
import json

def log_login_attempt(username, success):
    log_entry = {
        "event": "login_attempt",
        "username": username,  # JSON encoding handles escaping
        "success": success,
        "timestamp": datetime.now().isoformat()
    }
    logging.info(json.dumps(log_entry))

Scenario 2: Passwords in Log Files (CWE-532)

Application logs all HTTP requests including authentication:

import logging

@app.before_request
def log_request():
    # VULNERABLE - Logs entire request including passwords
    logging.info(f"Request: {request.method} {request.url}")
    logging.info(f"Headers: {request.headers}")
    logging.info(f"Body: {request.get_data()}")

The vulnerability:

Sensitive data written to logs:

Passwords in POST bodies
API keys in headers
Session tokens in cookies
Credit cards in request data
PII (SSN, email, phone) in parameters

The attack:

User logs in with credentials:

POST /login HTTP/1.1
Content-Type: application/json

{"username": "john", "password": "SecretPass123!"}

Log file contains:

2024-01-15 10:23:45 Request: POST /login
2024-01-15 10:23:45 Headers: {'Authorization': 'Bearer sk_live_4eC39HqLyjWDarht8Zlt5Kda'}
2024-01-15 10:23:45 Body: {"username": "john", "password": "SecretPass123!"}

Attacker gains access to log files (misconfiguration, backup exposure, insider threat):

# Search logs for passwords
grep -r "password" /var/log/app/*.log

# Output: Hundreds of plaintext passwords
john:SecretPass123!
admin:AdminPass456!
alice:MyP@ssw0rd!

Or API keys:

grep -r "Bearer" /var/log/app/*.log

# Output: All API keys ever used
Bearer sk_live_4eC39HqLyjWDarht8Kda
Bearer pk_test_51JxK9pE4cNwD2f

Result:

Mass credential theft
Complete account compromise
API key leakage
PCI DSS violation (logging credit cards)
GDPR violation (logging PII)

Finding it: Access log files. Search for passwords, tokens, API keys, credit cards. Check if sensitive data logged.

Exploit:

# Common log locations
/var/log/application.log
/var/log/apache2/access.log
/var/log/nginx/access.log
~/.pm2/logs/
/opt/app/logs/

# Search for credentials
grep -rE "password|apikey|token|bearer|authorization" /var/log/

# Search for credit cards
grep -rE "\b[0-9]{13,16}\b" /var/log/

The fix:

Never log sensitive data:

import logging
import re

SENSITIVE_FIELDS = ['password', 'api_key', 'token', 'credit_card', 'ssn']

def sanitize_request_data(data):
    sanitized = data.copy()
    for field in SENSITIVE_FIELDS:
        if field in sanitized:
            sanitized[field] = '[REDACTED]'
    return sanitized

@app.before_request
def log_request():
    # Sanitize before logging
    safe_data = sanitize_request_data(request.get_json() or {})
    logging.info(f"Request: {request.method} {request.path}")
    logging.info(f"Body: {safe_data}")

Or use allowlist approach:

def log_request():
    # Only log safe fields
    safe_fields = ['username', 'email', 'user_agent', 'ip_address']
    log_data = {k: v for k, v in request.get_json().items() if k in safe_fields}
    logging.info(f"Request data: {log_data}")

Scenario 3: No Logging of Security Events (CWE-778, CWE-221)

Application doesn't log critical security events:

@app.route('/admin/delete-user/<user_id>', methods=['POST'])
def delete_user(user_id):
    # VULNERABLE - No logging!
    user = User.query.get(user_id)
    db.session.delete(user)
    db.session.commit()
    return "User deleted"

The vulnerability:

No audit trail for:

Failed login attempts
Privilege escalation
Access to sensitive data
Configuration changes
User deletions
Password changes
Admin actions

The attack:

Attacker gains admin access and deletes users:

curl -X POST http://target.com/admin/delete-user/1 \
  -H "Authorization: Bearer stolen_token"

# User 1 deleted - no trace in logs
# No record of who deleted it
# No timestamp of deletion
# No evidence of compromise

Investigation reveals nothing:

# Search logs for deletion
grep "delete" /var/log/app.log
# No results

# Search for user access
grep "user/1" /var/log/app.log
# No results

# Completely blind to the attack

Result:

No incident detection
No forensic evidence
Cannot identify attacker
Cannot determine scope of breach
Compliance failure (PCI DSS requires logging)

Finding it: Review code for sensitive operations. Check if logging present. Test security events and verify they appear in logs.

The fix:

Log all security-relevant events:

import logging

@app.route('/admin/delete-user/<user_id>', methods=['POST'])
def delete_user(user_id):
    user = User.query.get(user_id)
    
    # Log the security event
    logging.warning(
        f"SECURITY: User deletion - "
        f"User ID: {user_id}, "
        f"Deleted by: {session['username']}, "
        f"IP: {request.remote_addr}, "
        f"Timestamp: {datetime.now()}"
    )
    
    db.session.delete(user)
    db.session.commit()
    return "User deleted"

Or use structured logging:

def log_security_event(event_type, details):
    log_entry = {
        "event": event_type,
        "actor": session.get('username'),
        "ip": request.remote_addr,
        "timestamp": datetime.now().isoformat(),
        "details": details
    }
    logging.warning(json.dumps(log_entry))

@app.route('/admin/delete-user/<user_id>', methods=['POST'])
def delete_user(user_id):
    user = User.query.get(user_id)
    
    log_security_event("user_deletion", {
        "user_id": user_id,
        "username": user.username
    })
    
    db.session.delete(user)
    db.session.commit()
    return "User deleted"

Scenario 4: Missing Context in Logs (CWE-223)

Application logs events but omits critical information:

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    password = request.form['password']
    
    if verify_password(username, password):
        # VULNERABLE - Missing context
        logging.info("Login successful")
        return "Welcome"
    else:
        # VULNERABLE - Missing context
        logging.info("Login failed")
        return "Invalid credentials"

The vulnerability:

Logs missing:

Username (who logged in?)
IP address (from where?)
Timestamp (exact time?)
User agent (what client?)
Session ID (which session?)

The attack:

Attacker performs brute-force attack:

for password in $(cat passwords.txt); do
  curl -X POST http://target.com/login \
    -d "username=admin&password=$password"
done

Logs show:

2024-01-15 10:23:45 Login failed
2024-01-15 10:23:46 Login failed
2024-01-15 10:23:47 Login failed
...
2024-01-15 10:25:32 Login successful

But administrators cannot determine:

Which account was attacked
Source IP of attack
If attack is ongoing
If attack targeted multiple accounts

Result:

Cannot detect brute-force attacks
Cannot block attacker IP
Cannot identify compromised accounts
Incomplete forensic evidence

Finding it: Review log entries. Check if they contain sufficient context (who, what, when, where, how).

The fix:

Include comprehensive context:

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    password = request.form['password']
    
    if verify_password(username, password):
        logging.info(
            f"Login successful - "
            f"User: {username}, "
            f"IP: {request.remote_addr}, "
            f"User-Agent: {request.headers.get('User-Agent')}, "
            f"Timestamp: {datetime.now()}"
        )
        return "Welcome"
    else:
        logging.warning(
            f"Login failed - "
            f"User: {username}, "
            f"IP: {request.remote_addr}, "
            f"User-Agent: {request.headers.get('User-Agent')}, "
            f"Timestamp: {datetime.now()}"
        )
        return "Invalid credentials"

Or structured format:

def log_login_event(username, success):
    log_entry = {
        "event": "login_attempt",
        "username": username,
        "success": success,
        "ip": request.remote_addr,
        "user_agent": request.headers.get('User-Agent'),
        "timestamp": datetime.now().isoformat(),
        "session_id": session.get('session_id')
    }
    
    if success:
        logging.info(json.dumps(log_entry))
    else:
        logging.warning(json.dumps(log_entry))

Scenario 5: Log Files Publicly Accessible

Application stores logs in web-accessible directory:

/var/www/html/logs/application.log
/var/www/html/logs/access.log
/var/www/html/logs/error.log

The vulnerability:

Log files accessible via web browser:

No authentication required
Directory listing enabled
Logs contain sensitive data
Anyone can download them

The attack:

# Discover logs
curl http://target.com/logs/
# Directory listing shows: application.log, error.log

# Download logs
curl http://target.com/logs/application.log > stolen_logs.txt

# Extract credentials
grep -E "password|token|api_key" stolen_logs.txt

# Output: All passwords and keys ever logged

Or automated scanning:

# Common log paths
for path in logs/ log/ debug/ application.log error.log access.log; do
  curl -s http://target.com/$path -o /dev/null -w "%{http_code} $path\n"
done

# 200 logs/application.log - FOUND!

Result:

Complete log exposure
Credential theft
Attack pattern visibility
Business logic disclosure
User behavior tracking

Finding it: Check if /logs/, /log/, /debug/ accessible. Try common log filenames. Look for directory listing.

Exploit:

# Test common paths
curl http://target.com/logs/
curl http://target.com/application.log
curl http://target.com/debug.log
curl http://target.com/error.log

# Automated scanner
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt -x log,txt

The fix:

Store logs outside web root:

# Wrong
/var/www/html/logs/

# Right
/var/log/application/
/opt/logs/
~/.local/logs/

Restrict permissions:

chmod 600 /var/log/application/*.log
chown app:app /var/log/application/*.log

Disable directory listing:

# Apache
<Directory /var/www/html>
    Options -Indexes
</Directory>

# Nginx
autoindex off;

Block log access:

# .htaccess
<FilesMatch "\.(log|txt)$">
    Deny from all
</FilesMatch>

Application only logs successful logins:

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    password = request.form['password']
    
    if verify_password(username, password):
        logging.info(f"User {username} logged in")
        return "Welcome"
    else:
        # VULNERABLE - Failed login not logged!
        return "Invalid credentials"

The vulnerability:

No logging of:

Failed login attempts
Password guessing attacks
Brute-force attempts
Account enumeration

The attack:

Attacker performs credential stuffing:

# Try 10,000 stolen passwords against admin account
for password in $(cat leaked_passwords.txt); do
  curl -X POST http://target.com/login \
    -d "username=admin&password=$password"
done

After 10,000 attempts, password found. But logs show:

2024-01-15 10:45:32 User admin logged in

No trace of:

10,000 failed attempts
Source IP
Attack duration
Attack pattern

Result:

Brute-force attacks undetected
No alerting or blocking
Successful compromise invisible until damage done

Finding it: Review authentication code. Check if failed attempts logged. Test with wrong passwords.

The fix:

Log all authentication attempts:

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    password = request.form['password']
    
    if verify_password(username, password):
        logging.info(
            f"LOGIN_SUCCESS - User: {username}, IP: {request.remote_addr}"
        )
        return "Welcome"
    else:
        # Log failed attempts
        logging.warning(
            f"LOGIN_FAILED - User: {username}, IP: {request.remote_addr}"
        )
        return "Invalid credentials"

With rate limiting:

from collections import defaultdict
from datetime import datetime, timedelta

failed_attempts = defaultdict(list)

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    password = request.form['password']
    ip = request.remote_addr
    
    # Check failed attempts
    recent_failures = [
        t for t in failed_attempts[ip]
        if t > datetime.now() - timedelta(minutes=15)
    ]
    
    if len(recent_failures) >= 5:
        logging.critical(
            f"BRUTE_FORCE_DETECTED - IP: {ip}, User: {username}, "
            f"Attempts: {len(recent_failures)}"
        )
        return "Too many failed attempts", 429
    
    if verify_password(username, password):
        # Clear failed attempts
        failed_attempts[ip] = []
        logging.info(f"LOGIN_SUCCESS - User: {username}, IP: {ip}")
        return "Welcome"
    else:
        # Record failed attempt
        failed_attempts[ip].append(datetime.now())
        logging.warning(
            f"LOGIN_FAILED - User: {username}, IP: {ip}, "
            f"Total failures: {len(recent_failures) + 1}"
        )
        return "Invalid credentials"

Scenario 7: Log Tampering (Inadequate Protection)

Logs stored with weak permissions:

-rw-rw-rw- 1 root root 1.2G Jan 15 10:23 application.log

The vulnerability:

Anyone can modify logs:

Attacker removes evidence
Attacker injects false entries
Forensic evidence destroyed
Incident investigation impossible

The attack:

Attacker compromises system, deletes traces:

# Remove all login failures
sed -i '/LOGIN_FAILED/d' /var/log/application.log

# Remove specific IP
sed -i '/192.168.1.100/d' /var/log/application.log

# Remove time range
sed -i '/2024-01-15 10:2[0-9]:/d' /var/log/application.log

# Or delete entire log
rm /var/log/application.log

Investigation finds nothing:

grep "LOGIN_FAILED" /var/log/application.log
# No results - attacker deleted them

Result:

Evidence destruction
Cannot prove breach occurred
Cannot identify attacker
Legal proceedings impossible

Finding it: Check file permissions on logs. Test if logs can be modified or deleted.

The fix:

Restrict log permissions:

chmod 640 /var/log/application/*.log
chown root:adm /var/log/application/*.log

Use append-only flag:

# Linux
chattr +a /var/log/application.log
# Now file can only be appended to, not modified or deleted

# Remove flag (requires root)
chattr -a /var/log/application.log

Send logs to central server:

import logging
from logging.handlers import SysLogHandler

# Send to remote syslog
handler = SysLogHandler(address=('logs.company.com', 514))
logging.getLogger().addHandler(handler)

# Now logs stored remotely where attacker can't delete them

Use write-once storage:

# Send logs to AWS S3 with object lock
aws s3 cp /var/log/application.log s3://logs-bucket/ \
  --storage-class GLACIER \
  --metadata "retention=7years"

Mitigation Strategies

Sanitize all logged input

import re

def sanitize_for_log(text):
    # Remove control characters
    sanitized = re.sub(r'[\x00-\x1f\x7f-\x9f]', '', text)
    # Remove newlines
    sanitized = sanitized.replace('\n', '').replace('\r', '')
    return sanitized

logging.info(f"User {sanitize_for_log(username)} logged in")

Never log sensitive data

SENSITIVE_FIELDS = [
    'password', 'passwd', 'pwd',
    'api_key', 'apikey', 'secret',
    'token', 'auth', 'authorization',
    'credit_card', 'cc', 'cvv',
    'ssn', 'social_security'
]

def redact_sensitive(data):
    if isinstance(data, dict):
        return {
            k: '[REDACTED]' if k.lower() in SENSITIVE_FIELDS else v
            for k, v in data.items()
        }
    return data

logging.info(f"Request: {redact_sensitive(request_data)}")

Log all security events

# Always log:
# - Authentication (success/failure)
# - Authorization failures
# - Input validation failures
# - Privilege escalation
# - Admin actions
# - Configuration changes
# - Data access/modification/deletion

def log_security_event(event_type, **kwargs):
    log_data = {
        'event': event_type,
        'timestamp': datetime.now().isoformat(),
        'user': session.get('username'),
        'ip': request.remote_addr,
        **kwargs
    }
    logging.warning(json.dumps(log_data))

Include comprehensive context

# Always include:
# - Who (user, session ID)
# - What (action performed)
# - When (timestamp)
# - Where (IP, location, endpoint)
# - How (method, user agent)
# - Result (success/failure)

logging.info(
    f"Event: {event}, "
    f"User: {user}, "
    f"IP: {ip}, "
    f"Time: {timestamp}, "
    f"Endpoint: {endpoint}, "
    f"Result: {result}"
)

Protect log files

# Restrict permissions
chmod 640 /var/log/application.log
chown root:adm /var/log/application.log

# Use append-only
chattr +a /var/log/application.log

# Store outside web root
# /var/log/ NOT /var/www/html/logs/

Use structured logging

import logging
import json

def structured_log(level, event_type, **kwargs):
    log_entry = {
        'timestamp': datetime.now().isoformat(),
        'level': level,
        'event': event_type,
        **kwargs
    }
    logging.log(getattr(logging, level), json.dumps(log_entry))

# Usage
structured_log('INFO', 'login_success', user='admin', ip='192.168.1.1')

Centralize logs

# Send to central logging server
from logging.handlers import SysLogHandler

handler = SysLogHandler(address=('logs.company.com', 514))
logging.getLogger().addHandler(handler)

# Or use ELK stack, Splunk, Datadog, etc.

Monitor and alert

# Set up automated monitoring
# Alert on:
# - Multiple failed logins
# - Privilege escalation attempts
# - Unusual access patterns
# - Missing logs (gaps in timeline)

# Example: Alert on 5 failed logins in 5 minutes
if failed_login_count > 5:
    send_alert(f"Brute force detected from {ip}")