An attacker may leverage a system weakness where logs are susceptible to
log injection to insert scripts into the system's logs. If these logs are
later viewed by an administrator through a thin administrative interface and
the log data is not properly HTML encoded before being written to the page,
the attacker's scripts stored in the log will be executed in the
administrative interface with potentially serious consequences. This attack
pattern is really a combination of two other attack patterns: log injection
and stored cross site scripting.
Attack Execution Flow
Explore
Probe for log injection
vulnerability:
The attacker probes all user-controllable data
inputs to the system to probe for log injection
vulnerabilities. This may be difficult (unless the
attacker has a white box view of the system) because
there may not be a feedback event to indicate to the
attacker that certain information is being
logged.
Outcomes
ID
Type
Outcome Description
1
Success
User injected input shows up in
the logs
Security Controls
ID
Type
Security Control Description
1
Preventative
Apply appropriate
input validation and filtering of
user-controllable input before writing to
logs
Probe for cross-site scripting
vulnerability:
The attacker probes all user-controllable data
inputs to the system to probe for any cross-site
scripting vulnerabilities. Cross-site scripting
vulnerabilities identified anywhere in the
application indicate an increased potential that
such vulnerabilities may exist in the log management
portions of the application.
Outcomes
ID
Type
Outcome Description
1
Success
Attacker-injected script is
executed in user's browser.
Security Controls
ID
Type
Security Control Description
1
Preventative
HTML encode all log
contents before displaying in log management
interfaces.
Experiment
Confirm
exploitability:
Create a simple script and inject it into one of
the potentially vulnerable fields. This script
should take some action which will give an attacker
an indication that the attack vector exists.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The idea is to receive some sort of a
feedback event that confirms that an attack is
succeeding. That is done with a simple script
prior to crafting possibly a more complex script
to launch an actual attack.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Expected script execution
feedback event is observed.
Exploit
Inject System Logs with Malicious
Scripts:
Create a malicious script to run in the
administrator's web based interface and inject it in
the system's logs through one of the user controlled
fields that are being logged.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Inject the vulnerable fields by tampering
with their values to contain the malicious
scripts. Possibly trigger another event that makes
it more likely that injected logs are viewed in
the vulnerable UI as soon as possible.
env-Web
Attack Prerequisites
The system uses a web based interface
The system does not cleanse / validate user supplied data before writing
it to logs
Information from logs is displayed in a web based interface
The web based log interface does not HTML output encode the log data prior
to displaying it in the administrator console.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Injection
Examples-Instances
Description
An attacker determines that a particular system uses a web based
interface for administration. The attacker creates a new user record and
supplies a malicious script in the user name field. The script will
steal the administrator's authentication cookie and forward it to a site
controlled by the attacker. The user name field is not validated by the
system and is logged as is in the log. At some point later, an
administrator reviews the log activity in the administrative console.
When the administrator comes across the attacker's activity record, the
malicious script is executed in the context of the attacker's browser,
stealing the administrator's authentication cookie and forwarding it to
the attacker. An attacker then uses the received authentication cookie
to log in to the system as an administrator, assuming that the
administrator console can be accessed remotely.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
Requires to ability to write a simple scipt and try to inject it
through various user controlled fields in the system.
Resources Required
No specialized hardware is required
Probing Techniques
Description
Locate system screens for operations that are likely to be logged and
use these as starting points for injection
Solutions and Mitigations
Cleanse all user supplied data before placing it in the logs. Reject all
bad data. Ensure that the data is in the expected form.
Use proper HTML output encoding techniques to strip the log data of
potentially dangerous scripting characters before displaying it in the
administrative console
If possible, disable script execution in the administrative
interface.
Description
