[OWASP-cheat-sheets] Add Log Injection Prevention to: Injection_Prevention_Cheat_Sheet_in_Java

Dominique Righetto dominique.righetto at owasp.org
Tue Nov 27 14:28:44 UTC 2018


Ok i will do the rest...

Le mar. 27 nov. 2018 à 13:56, Jim Manico <jim.manico at owasp.org> a écrit :

> I think we're good to go live. Nice work folks.
>
>  - Jim
> On 11/27/18 12:14 AM, Dominique Righetto wrote:
>
> Jim, can we consider it ok for a go live?
>
> Le lun. 26 nov. 2018 à 18:46, Dominique Righetto <
> dominique.righetto at owasp.org> a écrit :
>
>> OK thanks you.
>>
>> --
>> Cordialement, Best regards,
>> Dominique Righetto
>> dominique.righetto at gmail.com
>> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
>> <dominique.righetto at gmail.com>
>> https://righettod.eu
>> GPG: 323D19BA
>>
>>
>> On Mon, Nov 26, 2018 at 6:42 PM Dave Wichers <dwichers at gmail.com> wrote:
>>
>>> OK. I tweaked this new content a bit, and removed the under construction
>>> label as I don't think its necessary now.
>>>
>>> On Mon, Nov 26, 2018 at 12:11 PM Dominique Righetto <
>>> dominique.righetto at owasp.org> wrote:
>>>
>>>> i have added the config for logback in a way allowing a "direct" usage
>>>> by a dev team and in the same approach than for LOG4JV2.
>>>> --
>>>> Cordialement, Best regards,
>>>> Dominique Righetto
>>>> dominique.righetto at gmail.com
>>>> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
>>>> <dominique.righetto at gmail.com>
>>>> https://righettod.eu
>>>> GPG: 323D19BA
>>>>
>>>>
>>>> On Mon, Nov 26, 2018 at 5:38 PM Dave Wichers <dwichers at gmail.com>
>>>> wrote:
>>>>
>>>>> 'We' are OWASP :-)   So 'We' can say whatever we want. So yes, it is
>>>>> now official, unless Jim, August, whomever talks us out of it :-)
>>>>>
>>>>> Re; Logback, yes, I think repeating their recommendation, and
>>>>> referencing their log injection defense page would be a good enhancement to
>>>>> this page.
>>>>>
>>>>> -Dave
>>>>>
>>>>>
>>>>> On Mon, Nov 26, 2018 at 11:24 AM Dominique Righetto <
>>>>> dominique.righetto at owasp.org> wrote:
>>>>>
>>>>>> I have updated the section in the CS to reflect the discussion.
>>>>>>
>>>>>> About:
>>>>>> "OWASP recommends defending against XSS attacks in such situations in
>>>>>> the log viewer application itself, not by preencoding all the log messages
>>>>>> with HTML encoding as such log entries may be used/viewed in many other log
>>>>>> viewing/analysis tools that don't expect the log data to be pre-HTML
>>>>>> encoded."
>>>>>>
>>>>>> There is a official statment about that point?
>>>>>>
>>>>>> For logack API, I think that for the moment, we can propose the usage
>>>>>> of the project "owasp-security-logging" because there not currently a
>>>>>> solution on logback side and, as logback is a very used (at least in the
>>>>>> project i see), we must propose a solution even if is temporal and more
>>>>>> heavy than a upgrade to LOG4J v2.
>>>>>>
>>>>>> Moreover it help to promote this OWASP project too and help dev team
>>>>>> to use a centralized/maintained API...
>>>>>>
>>>>>> OK on that ?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Cordialement, Best regards,
>>>>>> Dominique Righetto
>>>>>> dominique.righetto at gmail.com
>>>>>> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
>>>>>> <dominique.righetto at gmail.com>
>>>>>> https://righettod.eu
>>>>>> GPG: 323D19BA
>>>>>>
>>>>>>
>>>>>> On Mon, Nov 26, 2018 at 4:56 PM Dominique Righetto <
>>>>>> dominique.righetto at owasp.org> wrote:
>>>>>>
>>>>>>> As discussion are prending, i have added a warning in the section to
>>>>>>> indicate the "WORK IN PROGRESS" state.
>>>>>>> --
>>>>>>> Cordialement, Best regards,
>>>>>>> Dominique Righetto
>>>>>>> dominique.righetto at gmail.com
>>>>>>> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
>>>>>>> <dominique.righetto at gmail.com>
>>>>>>> https://righettod.eu
>>>>>>> GPG: 323D19BA
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Nov 26, 2018 at 4:40 PM Dave Wichers <dwichers at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I just ran across this:
>>>>>>>>
>>>>>>>> https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
>>>>>>>>
>>>>>>>> I think their recommendation to use the default enc{} function in
>>>>>>>> log4j2 is incorrect, but I'll talk to them about that. Their recommendation
>>>>>>>> for Logback is great! (Didn't know that), and I think we should repeat it
>>>>>>>> here, and also reference this specific page of the project, rather than the
>>>>>>>> overall project itself.
>>>>>>>>
>>>>>>>> -Dave
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Nov 26, 2018 at 10:19 AM Dave Wichers <dwichers at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Thanks Dominique!!
>>>>>>>>>
>>>>>>>>> I made some tweaks and have a question. The major point of my
>>>>>>>>> changes is that the {CRLF} encoding scheme MUST be used to prevent log
>>>>>>>>> injection as that is the scheme that encoded CRLF chars. The default
>>>>>>>>> encoding scheme for the {encode} function is HTML, which is dumb in my
>>>>>>>>> opinion. That prevents XSS, but does it by forcing encoding before the data
>>>>>>>>> is even sent to a browser, which I think is wrong.
>>>>>>>>>
>>>>>>>>> I'd also prefer to give people the option to make a simple change,
>>>>>>>>> and asking them to pull in the OWASP Secure Logging Project isn't
>>>>>>>>> necessarily simple. In fact, I'm not use exactly what the project does to
>>>>>>>>> help prevent log injection. I'm not sure the comment: "The OWASP
>>>>>>>>> Security Logging Project
>>>>>>>>> <https://www.owasp.org/index.php/OWASP_Security_Logging_Project> can
>>>>>>>>> be used to protect the application log against *Log Injection* attacks."
>>>>>>>>> is actually true.  Can you get Jim to introduce you to August (one of the
>>>>>>>>> project leads), to answer that question?  If that project doesn't prevent
>>>>>>>>> log injection by default maybe it can be enhanced to do so by using the
>>>>>>>>> enc{}{CRLF} function in Log4j2. However, if that project also supports
>>>>>>>>> Logback or other loggers, then it might have to use (or provide) different
>>>>>>>>> mechanisms to prevent Log injection using those frameworks.
>>>>>>>>>
>>>>>>>>> If anyone is aware of any Log Injection defense mechanisms built
>>>>>>>>> into Logback that we can leverage, and describe on this page, please let me
>>>>>>>>> know, or simply update the article!
>>>>>>>>>
>>>>>>>>> I pulled out any references to the OWASP Secure Logging Project
>>>>>>>>> from the example, as I don't think it is required to implement what is
>>>>>>>>> shown there now.
>>>>>>>>>
>>>>>>>>> Thanks, Dave
>>>>>>>>>
>>>>>>>>> On Mon, Nov 26, 2018 at 8:03 AM Dominique Righetto <
>>>>>>>>> dominique.righetto at owasp.org> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Info has been added:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java#Log_Injection
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Cordialement, Best regards,
>>>>>>>>>> Dominique Righetto
>>>>>>>>>> dominique.righetto at gmail.com
>>>>>>>>>> <dominique.righetto at gmail.com>dominique.righetto at owasp.org
>>>>>>>>>> <dominique.righetto at gmail.com>
>>>>>>>>>> https://righettod.eu
>>>>>>>>>> GPG: 323D19BA
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Wed, Oct 31, 2018 at 6:01 PM Dave Wichers <dwichers at gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hey, I was looking at:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java
>>>>>>>>>>>
>>>>>>>>>>> And noticed it does not cover Java log injection. There aren't
>>>>>>>>>>> any good articles on this subject really, but I did find this blog post:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
>>>>>>>>>>>
>>>>>>>>>>> Could you take the time to add a section on Log Injection
>>>>>>>>>>> prevent and reference/include this recommendation, and anything else good
>>>>>>>>>>> you can find for the Java world??
>>>>>>>>>>>
>>>>>>>>>>> Thanks, Dave
>>>>>>>>>>>
>>>>>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20181127/413e0158/attachment-0001.html>


More information about the OWASP-cheat-sheets mailing list