[OWASP-cheat-sheets] Add Log Injection Prevention to: Injection_Prevention_Cheat_Sheet_in_Java

Dominique Righetto dominique.righetto at owasp.org
Mon Nov 26 18:44:33 UTC 2018


Jim, can we consider it ok for a go live?

Le lun. 26 nov. 2018 à 18:46, Dominique Righetto <
dominique.righetto at owasp.org> a écrit :

> OK thanks you.
>
> --
> Cordialement, Best regards,
> Dominique Righetto
> dominique.righetto at gmail.com
> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
> <dominique.righetto at gmail.com>
> https://righettod.eu
> GPG: 323D19BA
>
>
> On Mon, Nov 26, 2018 at 6:42 PM Dave Wichers <dwichers at gmail.com> wrote:
>
>> OK. I tweaked this new content a bit, and removed the under construction
>> label as I don't think its necessary now.
>>
>> On Mon, Nov 26, 2018 at 12:11 PM Dominique Righetto <
>> dominique.righetto at owasp.org> wrote:
>>
>>> i have added the config for logback in a way allowing a "direct" usage
>>> by a dev team and in the same approach than for LOG4JV2.
>>> --
>>> Cordialement, Best regards,
>>> Dominique Righetto
>>> dominique.righetto at gmail.com
>>> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
>>> <dominique.righetto at gmail.com>
>>> https://righettod.eu
>>> GPG: 323D19BA
>>>
>>>
>>> On Mon, Nov 26, 2018 at 5:38 PM Dave Wichers <dwichers at gmail.com> wrote:
>>>
>>>> 'We' are OWASP :-)   So 'We' can say whatever we want. So yes, it is
>>>> now official, unless Jim, August, whomever talks us out of it :-)
>>>>
>>>> Re; Logback, yes, I think repeating their recommendation, and
>>>> referencing their log injection defense page would be a good enhancement to
>>>> this page.
>>>>
>>>> -Dave
>>>>
>>>>
>>>> On Mon, Nov 26, 2018 at 11:24 AM Dominique Righetto <
>>>> dominique.righetto at owasp.org> wrote:
>>>>
>>>>> I have updated the section in the CS to reflect the discussion.
>>>>>
>>>>> About:
>>>>> "OWASP recommends defending against XSS attacks in such situations in
>>>>> the log viewer application itself, not by preencoding all the log messages
>>>>> with HTML encoding as such log entries may be used/viewed in many other log
>>>>> viewing/analysis tools that don't expect the log data to be pre-HTML
>>>>> encoded."
>>>>>
>>>>> There is a official statment about that point?
>>>>>
>>>>> For logack API, I think that for the moment, we can propose the usage
>>>>> of the project "owasp-security-logging" because there not currently a
>>>>> solution on logback side and, as logback is a very used (at least in the
>>>>> project i see), we must propose a solution even if is temporal and more
>>>>> heavy than a upgrade to LOG4J v2.
>>>>>
>>>>> Moreover it help to promote this OWASP project too and help dev team
>>>>> to use a centralized/maintained API...
>>>>>
>>>>> OK on that ?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Cordialement, Best regards,
>>>>> Dominique Righetto
>>>>> dominique.righetto at gmail.com
>>>>> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
>>>>> <dominique.righetto at gmail.com>
>>>>> https://righettod.eu
>>>>> GPG: 323D19BA
>>>>>
>>>>>
>>>>> On Mon, Nov 26, 2018 at 4:56 PM Dominique Righetto <
>>>>> dominique.righetto at owasp.org> wrote:
>>>>>
>>>>>> As discussion are prending, i have added a warning in the section to
>>>>>> indicate the "WORK IN PROGRESS" state.
>>>>>> --
>>>>>> Cordialement, Best regards,
>>>>>> Dominique Righetto
>>>>>> dominique.righetto at gmail.com
>>>>>> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
>>>>>> <dominique.righetto at gmail.com>
>>>>>> https://righettod.eu
>>>>>> GPG: 323D19BA
>>>>>>
>>>>>>
>>>>>> On Mon, Nov 26, 2018 at 4:40 PM Dave Wichers <dwichers at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I just ran across this:
>>>>>>>
>>>>>>> https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
>>>>>>>
>>>>>>> I think their recommendation to use the default enc{} function in
>>>>>>> log4j2 is incorrect, but I'll talk to them about that. Their recommendation
>>>>>>> for Logback is great! (Didn't know that), and I think we should repeat it
>>>>>>> here, and also reference this specific page of the project, rather than the
>>>>>>> overall project itself.
>>>>>>>
>>>>>>> -Dave
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Nov 26, 2018 at 10:19 AM Dave Wichers <dwichers at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Thanks Dominique!!
>>>>>>>>
>>>>>>>> I made some tweaks and have a question. The major point of my
>>>>>>>> changes is that the {CRLF} encoding scheme MUST be used to prevent log
>>>>>>>> injection as that is the scheme that encoded CRLF chars. The default
>>>>>>>> encoding scheme for the {encode} function is HTML, which is dumb in my
>>>>>>>> opinion. That prevents XSS, but does it by forcing encoding before the data
>>>>>>>> is even sent to a browser, which I think is wrong.
>>>>>>>>
>>>>>>>> I'd also prefer to give people the option to make a simple change,
>>>>>>>> and asking them to pull in the OWASP Secure Logging Project isn't
>>>>>>>> necessarily simple. In fact, I'm not use exactly what the project does to
>>>>>>>> help prevent log injection. I'm not sure the comment: "The OWASP
>>>>>>>> Security Logging Project
>>>>>>>> <https://www.owasp.org/index.php/OWASP_Security_Logging_Project> can
>>>>>>>> be used to protect the application log against *Log Injection* attacks."
>>>>>>>> is actually true.  Can you get Jim to introduce you to August (one of the
>>>>>>>> project leads), to answer that question?  If that project doesn't prevent
>>>>>>>> log injection by default maybe it can be enhanced to do so by using the
>>>>>>>> enc{}{CRLF} function in Log4j2. However, if that project also supports
>>>>>>>> Logback or other loggers, then it might have to use (or provide) different
>>>>>>>> mechanisms to prevent Log injection using those frameworks.
>>>>>>>>
>>>>>>>> If anyone is aware of any Log Injection defense mechanisms built
>>>>>>>> into Logback that we can leverage, and describe on this page, please let me
>>>>>>>> know, or simply update the article!
>>>>>>>>
>>>>>>>> I pulled out any references to the OWASP Secure Logging Project
>>>>>>>> from the example, as I don't think it is required to implement what is
>>>>>>>> shown there now.
>>>>>>>>
>>>>>>>> Thanks, Dave
>>>>>>>>
>>>>>>>> On Mon, Nov 26, 2018 at 8:03 AM Dominique Righetto <
>>>>>>>> dominique.righetto at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Info has been added:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java#Log_Injection
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Cordialement, Best regards,
>>>>>>>>> Dominique Righetto
>>>>>>>>> dominique.righetto at gmail.com
>>>>>>>>> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
>>>>>>>>> <dominique.righetto at gmail.com>
>>>>>>>>> https://righettod.eu
>>>>>>>>> GPG: 323D19BA
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Oct 31, 2018 at 6:01 PM Dave Wichers <dwichers at gmail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hey, I was looking at:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java
>>>>>>>>>>
>>>>>>>>>> And noticed it does not cover Java log injection. There aren't
>>>>>>>>>> any good articles on this subject really, but I did find this blog post:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
>>>>>>>>>>
>>>>>>>>>> Could you take the time to add a section on Log Injection prevent
>>>>>>>>>> and reference/include this recommendation, and anything else good you can
>>>>>>>>>> find for the Java world??
>>>>>>>>>>
>>>>>>>>>> Thanks, Dave
>>>>>>>>>>
>>>>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20181126/d93d4b87/attachment-0001.html>


More information about the OWASP-cheat-sheets mailing list