[Esapi-user] ESAPI Logging bad data

Jeff Williams jeff.williams at aspectsecurity.com
Fri May 31 01:03:30 UTC 2013


Hi Tony,

I'm not sure how this could be happening. The ESAPI Logger was designed to prevent CRLF injection.  I checked both the Java logger and the Log4j loggers and they both sanitize the input, replacing any CR or LF characters with _.  See the log() method in https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/Log4JLogger.java.

Hey wait - how are you viewing the logs?  Is it in a browser?  Could there be <BR> or some other linefeed markup in your logs?

--Jeff


From: esapi-user-bounces at lists.owasp.org [mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of August Detlefsen
Sent: Thursday, May 30, 2013 7:47 PM
To: Tony M
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] ESAPI Logging bad data

If an attacker is able to insert a newline into your log file, then yes, that is pretty much the definition of log forging...

On Thu, May 30, 2013 at 3:27 PM, Tony M <dev at cfreak.net<mailto:dev at cfreak.net>> wrote:
Hello,

I am using ESAPI in one of my application. It seems that ESAPI is logging bad data:


WARNING: [SECURITY FAILURE] Invalid input: context=validate_filename, type(FileName)=^[[email protected]#$%^&{}\[\]()_+\-=,.~'` ]{1,255}$, input=

INFO: I AM FORGING YOUR LOG

in the log file. Isn't that subject to log forging? I know that showing the data in the log has benefit. Any advice in solving this issue?

Thanks,

Tony

_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org<mailto:Esapi-user at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/esapi-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20130531/fe856647/attachment.html>


More information about the Esapi-user mailing list