Insecure logging can occur if a developer either intentionally or unintentionally logs sensitive information, this can lead to unintended consequences. If, for example, the application logs Personally Identifiable Information (PII) then the attacker could perform identity theft attacks on users. If it contains credential or session information then the attacker could hijack the user’s account. If logging files have restricted access then they are still vulnerable to a malicious insider.

Impact of Insecure Logging

If an attacker, or a malicious insider gains access to logs and those logs contain sensitive information then a few problems can follow. If the logs contain a session identifier or user credentials then an attacker can hijack the account and expose the users data or perform actions as that user at potential financial risk. In addition, an attacker could change user data without the user’s knowledge. Alternatively, an attacker can learn important system and network information about the application and its environment which may enable an attacker to pivot access to other servers and/or increase their privilege level.

Testing for Insecure Logging

As part of the development cycle, development needs to be aware of the issues surrounding Insecure Logging and their impacts and actively question the sensitivity of the data they are logging. Code reviewing helps identify Insecure Logging issues. Review content in log files for different logging levels for each use case. Review log file location and ensure non privileged users can access the file directory or content. Attempt to access the directory as a non privileged user at the system or network level or via the web interface.

Java Example of Insecure Logging

logger.info("Username: " + usernme + ", CCN: " + ccn);
locationClient = new LocationClient(this, this, this);
locationClient.connect();
currentUser.setLocation(locationClient.getLastLocation());
...

catch (Exception e) {
AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setMessage("Sorry, this application has experienced an error.");
AlertDialog alert = builder.create();
alert.show();
Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString());
}

Java Specific Fixes for Insecure Logging

Review log files and application code to ensure that all modes (production, development, test) do not log sensitive information. Ensure that the application is properly configured for logging level when moved to production. Ensure production log files and their backups are only accessible by authorized personnel and are protected from unauthorized read and writes. Ensure any web tier cannot access logging files.

Insecure Logging Tales

Want to check your projects for free?

References

CWE-532: Inclusion of Sensitive Information in Log Files
OWASP: The OWASP Code Review Top 9