[OWASP-cheat-sheets] Add Log Injection Prevention to: Injection_Prevention_Cheat_Sheet_in_Java

Jim Manico jim.manico at owasp.org
Tue Nov 27 12:56:20 UTC 2018


I think we're good to go live. Nice work folks.

 - Jim

On 11/27/18 12:14 AM, Dominique Righetto wrote:
> Jim, can we consider it ok for a go live?
>
> Le lun. 26 nov. 2018 à 18:46, Dominique Righetto
> <dominique.righetto at owasp.org <mailto:dominique.righetto at owasp.org>> a
> écrit :
>
>     OK thanks you.
>
>     --
>     Cordialement, Best regards,
>     Dominique Righetto
>     dominique.righetto at gmail.com <mailto:dominique.righetto at gmail.com>
>     <mailto:dominique.righetto at gmail.com>dominique.righetto at owasp.org
>     <mailto:dominique.righetto at gmail.com>
>     https://righettod.eu
>     GPG: 323D19BA
>
>
>     On Mon, Nov 26, 2018 at 6:42 PM Dave Wichers <dwichers at gmail.com
>     <mailto:dwichers at gmail.com>> wrote:
>
>         OK. I tweaked this new content a bit, and removed the under
>         construction label as I don't think its necessary now.
>
>         On Mon, Nov 26, 2018 at 12:11 PM Dominique Righetto
>         <dominique.righetto at owasp.org
>         <mailto:dominique.righetto at owasp.org>> wrote:
>
>             i have added the config for logback in a way allowing a
>             "direct" usage by a dev team and in the same approach than
>             for LOG4JV2.
>             --
>             Cordialement, Best regards,
>             Dominique Righetto
>             dominique.righetto at gmail.com
>             <mailto:dominique.righetto at gmail.com>
>             <mailto:dominique.righetto at gmail.com>dominique.righetto at owasp.org
>             <mailto:dominique.righetto at gmail.com>
>             https://righettod.eu
>             GPG: 323D19BA
>
>
>             On Mon, Nov 26, 2018 at 5:38 PM Dave Wichers
>             <dwichers at gmail.com <mailto:dwichers at gmail.com>> wrote:
>
>                 'We' are OWASP :-)   So 'We' can say whatever we want.
>                 So yes, it is now official, unless Jim, August,
>                 whomever talks us out of it :-)
>
>                 Re; Logback, yes, I think repeating their
>                 recommendation, and referencing their log injection
>                 defense page would be a good enhancement to this page.
>
>                 -Dave
>
>
>                 On Mon, Nov 26, 2018 at 11:24 AM Dominique Righetto
>                 <dominique.righetto at owasp.org
>                 <mailto:dominique.righetto at owasp.org>> wrote:
>
>                     I have updated the section in the CS to reflect
>                     the discussion.
>
>                     About:
>                     "OWASP recommends defending against XSS attacks in
>                     such situations in the log viewer application
>                     itself, not by preencoding all the log messages
>                     with HTML encoding as such log entries may be
>                     used/viewed in many other log viewing/analysis
>                     tools that don't expect the log data to be
>                     pre-HTML encoded."
>
>                     There is a official statment about that point?
>
>                     For logack API, I think that for the moment, we
>                     can propose the usage of the project
>                     "owasp-security-logging" because there not
>                     currently a solution on logback side and, as
>                     logback is a very used (at least in the project i
>                     see), we must propose a solution even if is
>                     temporal and more heavy than a upgrade to LOG4J v2.
>
>                     Moreover it help to promote this OWASP project too
>                     and help dev team to use a centralized/maintained
>                     API...
>
>                     OK on that ?
>
>
>
>
>                     --
>                     Cordialement, Best regards,
>                     Dominique Righetto
>                     dominique.righetto at gmail.com
>                     <mailto:dominique.righetto at gmail.com>
>                     <mailto:dominique.righetto at gmail.com>dominique.righetto at owasp.org
>                     <mailto:dominique.righetto at gmail.com>
>                     https://righettod.eu
>                     GPG: 323D19BA
>
>
>                     On Mon, Nov 26, 2018 at 4:56 PM Dominique Righetto
>                     <dominique.righetto at owasp.org
>                     <mailto:dominique.righetto at owasp.org>> wrote:
>
>                         As discussion are prending, i have added a
>                         warning in the section to indicate the "WORK
>                         IN PROGRESS" state.
>                         --
>                         Cordialement, Best regards,
>                         Dominique Righetto
>                         dominique.righetto at gmail.com
>                         <mailto:dominique.righetto at gmail.com>
>                         <mailto:dominique.righetto at gmail.com>dominique.righetto at owasp.org
>                         <mailto:dominique.righetto at gmail.com>
>                         https://righettod.eu
>                         GPG: 323D19BA
>
>
>                         On Mon, Nov 26, 2018 at 4:40 PM Dave Wichers
>                         <dwichers at gmail.com
>                         <mailto:dwichers at gmail.com>> wrote:
>
>                             I just ran across this:
>
>                             https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
>
>                             I think their recommendation to use the
>                             default enc{} function in log4j2 is
>                             incorrect, but I'll talk to them about
>                             that. Their recommendation for Logback is
>                             great! (Didn't know that), and I think we
>                             should repeat it here, and also reference
>                             this specific page of the project, rather
>                             than the overall project itself.
>
>                             -Dave
>
>
>                             On Mon, Nov 26, 2018 at 10:19 AM Dave
>                             Wichers <dwichers at gmail.com
>                             <mailto:dwichers at gmail.com>> wrote:
>
>                                 Thanks Dominique!!
>
>                                 I made some tweaks and have a
>                                 question. The major point of my
>                                 changes is that the {CRLF} encoding
>                                 scheme MUST be used to prevent log
>                                 injection as that is the scheme that
>                                 encoded CRLF chars. The default
>                                 encoding scheme for the {encode}
>                                 function is HTML, which is dumb in my
>                                 opinion. That prevents XSS, but does
>                                 it by forcing encoding before the data
>                                 is even sent to a browser, which I
>                                 think is wrong.
>
>                                 I'd also prefer to give people the
>                                 option to make a simple change, and
>                                 asking them to pull in the OWASP
>                                 Secure Logging Project isn't
>                                 necessarily simple. In fact, I'm not
>                                 use exactly what the project does to
>                                 help prevent log injection. I'm not
>                                 sure the comment: "The OWASP Security
>                                 Logging Project
>                                 <https://www.owasp.org/index.php/OWASP_Security_Logging_Project> can
>                                 be used to protect the application log
>                                 against /Log Injection/ attacks." is
>                                 actually true.  Can you get Jim to
>                                 introduce you to August (one of the
>                                 project leads), to answer that
>                                 question?  If that project doesn't
>                                 prevent log injection by default maybe
>                                 it can be enhanced to do so by using
>                                 the enc{}{CRLF} function in Log4j2.
>                                 However, if that project also supports
>                                 Logback or other loggers, then it
>                                 might have to use (or provide)
>                                 different mechanisms to prevent Log
>                                 injection using those frameworks.
>
>                                 If anyone is aware of any Log
>                                 Injection defense mechanisms built
>                                 into Logback that we can leverage, and
>                                 describe on this page, please let me
>                                 know, or simply update the article!
>
>                                 I pulled out any references to
>                                 the OWASP Secure Logging Project from
>                                 the example, as I don't think it is
>                                 required to implement what is shown
>                                 there now.
>
>                                 Thanks, Dave
>
>                                 On Mon, Nov 26, 2018 at 8:03 AM
>                                 Dominique Righetto
>                                 <dominique.righetto at owasp.org
>                                 <mailto:dominique.righetto at owasp.org>>
>                                 wrote:
>
>                                     Hi,
>
>                                     Info has been added:
>
>                                     https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java#Log_Injection
>
>                                     --
>                                     Cordialement, Best regards,
>                                     Dominique Righetto
>                                     dominique.righetto at gmail.com
>                                     <mailto:dominique.righetto at gmail.com>
>                                     <mailto:dominique.righetto at gmail.com>dominique.righetto at owasp.org
>                                     <mailto:dominique.righetto at gmail.com>
>                                     https://righettod.eu
>                                     GPG: 323D19BA
>
>
>                                     On Wed, Oct 31, 2018 at 6:01 PM
>                                     Dave Wichers <dwichers at gmail.com
>                                     <mailto:dwichers at gmail.com>> wrote:
>
>                                         Hey, I was looking at:
>
>                                         https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java
>
>                                         And noticed it does not cover
>                                         Java log injection. There
>                                         aren't any good articles on
>                                         this subject really, but I did
>                                         find this blog post:
>
>                                         https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
>
>                                         Could you take the time to add
>                                         a section on Log Injection
>                                         prevent and reference/include
>                                         this recommendation, and
>                                         anything else good you can
>                                         find for the Java world??
>
>                                         Thanks, Dave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20181127/b410ccd3/attachment-0001.html>


More information about the OWASP-cheat-sheets mailing list