| Name |
Web Server Logs Tampering |
|
| Likelyhood of attack |
Typical severity |
| Medium |
High |
|
| Summary |
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application. |
| Prerequisites |
Target server software must be a HTTP server that performs web logging. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Determine Application Web Server Log File Format] The attacker observes the system and looks for indicators of which logging utility is being used by the web server. |
- Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.
|
| 2 |
Experiment |
[Determine Injectable Content] The attacker launches various logged actions with malicious data to determine what sort of log injection is possible. |
- Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.
|
| 3 |
Exploit |
[Manipulate Log Files] The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack. |
-
Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.
For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters.
-
Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.
For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters.
- Directly through log file or database manipulation, modify existing log entries.
|
|
| Solutions | Design: Use input validation before writing to web log Design: Validate all log data before it is output |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-20 |
Improper Input Validation |
| CWE-75 |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
| CWE-93 |
Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| CWE-96 |
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
| CWE-116 |
Improper Encoding or Escaping of Output |
| CWE-117 |
Improper Output Neutralization for Logs |
| CWE-150 |
Improper Neutralization of Escape, Meta, or Control Sequences |
| CWE-221 |
Information Loss or Omission |
| CWE-276 |
Incorrect Default Permissions |
| CWE-279 |
Incorrect Execution-Assigned Permissions |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-268 |
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions. |
|