Main Content

Ep-2: Log Sanitization


  • Question that we’ll investigate
    • “What items should I sanitize from the application logs?”
      • More than just passwords :)

Recon Background

  • Physical Recon (Reconnaissance)
    • Social Engineering: The Art of Human Hacking
      • “I cant wait to jump in the dumpster!”
    • Rushed employees don’t shred documents
  • Application Logs
    • Application’s dumpster
      • Common attack target
      • Rushed Devs/DevOps engineers dont “shred” sensitive information

Username Issues

  • User accidentally enters their password into the username field
  • Log view
    1. “Username ronaldmcdonaldPassword123 doesn’t exist”
    2. “Username ronaldmcdonald logged in successfully”
  • Sanitize all usernames from logs?
    • No
      • Incident Response
      • Find trade-off

Username Issues (Solution)

  • Possible solution
  • Server-side validation
    • If server receives a username with no password
      1. Abort the request
        • Dont query the DB
      2. Dont log the username
      3. Log IP for bot/DoS activity
  • Client-side validation as well
    • Don’t send the request

Sanitize Logs For Credentials

Sanitize Logs For XSS

  • What is XSS (Cross Site Scripting)?
    • Ex: Attacker places malicious javascript in victim’s browser
      • Steal auth cookie
  • How can the logs be an XSS risk?
    1. Malicious guy signs up for a service with the username of
      • <script src=""></script>
    2. Log gets sent to admin UI
      • Log View
        • Username <script src=""></script> logged in
    3. Admin views the logs
    4. Admin’s browser interprets HTML and loads authCookieStealer.js

Sanitize Logs For XSS (Solution)

  • XSS filter before persisting to logs
    • Escape All HTML special characters before logging
      • Ex: < > etc.
  • XSS node.js module (and cli tool)
  • Recommendations
    • For logs, nothing should be in whitelist
    • For auditing, escape instead of removing tags

Sanitize Logs For Sensitive Url Parameters

  • SSNs or other personally identifiable information
    • Health conditions
      • Check compliance
      • Often logs are stored unencrypted, this could violate HIPAA
  • Auth Cookies
    • Certain frameworks will automatically put sessionids (auth information) in url parameters if cookies are turned off
    • Session Tracking
      • Hash session
  • nginx considerations
    • Talk to DevOps

Additional Resources