Web Logs Tampering attacks involve an attacker injecting, deleting or
otherwise tampering with the contents of web logs typically for the purposes
of masking other malicious behavior. Additionally, writing malicious data to
log files may target jobs, filters, reports, and other agents that process
the logs in an asynchronous attack pattern. This pattern of attack is
similar to "Log Injection-Tampering-Forging" except that in this case, the
attack is targeting the logs of the web server and not the
application.
Attack Execution Flow
Explore
Determine Application Web Server Log File
Format:
The attacker observes the system and looks for
indicators of which logging utility is being used by
the web server.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Determine logging utility being used by
application web server (e.g. log4j), only possible
if the application is known by the attacker or if
the application returns error messages with
logging utility information.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Attacker determines log file
format used by application web
server.
2
Inconclusive
Attacker cannot conclusively
determine log file format; he/she can only guess
what the format is.
Experiment
Determine Injectable
Content:
The attacker launches various logged actions with
malicious data to determine what sort of log
injection is possible.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Attacker triggers logged actions with
maliciously crafted data as inputs, parameters,
arguments, etc.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Attacker observes content
successfully injected into web
logs.
2
Inconclusive
Attacker lacks capability to
observe if content was successfully injected into
web logs.
Exploit
Manipulate Log Files:
The attacker alters the log contents either
directly through manipulation or forging or
indirectly through injection of specially crafted
request that the web server will receive and write
into the logs. This type of attack typically follows
another attack and is used to try to cover the
traces of the previous attack.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Indirectly through injection, use carriage
return and/or line feed characters to start a new
line in the log file, and then, add a fake
entry.
For example: The HTTP request for
"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET
/forged-path HTTP/1.1" 200 - "-" USER_AGENT" may
add the log line into Apache "access_log" (for
example). Different applications may require
different encodings of the carriage return and
line feed characters.
env-Web
2
Directly through log file or database
manipulation, use carriage return and/or line feed
characters to start a new line in the log file,
and then, add a fake entry.
For example: The HTTP request for
"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET
/forged-path HTTP/1.1" 200 - "-" USER_AGENT" may
add the log line into Apache "access_log" (for
example). Different applications may require
different encodings of the carriage return and
line feed characters.
env-Web
3
Directly through log file or database
manipulation, modify existing log entries.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
Forged entry or other malicious
data inserted into application's
logs.
2
Failure
No entry inserted into logs, or
the entry is visibly distinguishable from real
entries.
Security Controls
ID
Type
Security Control Description
1
Preventative
Input validation to
ensure that only legal characters supplied by
users can be entered into log
files
2
Preventative
Encode information
from user such that any unexpected characters are
encoded safely before they are entered into log
files.
3
Preventative
Post-processing of log
files to remove or encode dangerous characters
before displaying to a user may help in some
cases. It will not help remove fake log entries
entered using carriage return and line feed
characters,
however.
Attack Prerequisites
Target server software must be a HTTP server that performs web
logging.
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Modification of Resources
Time and State
Examples-Instances
Description
Most web servers have a public interface, even if the majority of the
site is password protected, there is usually at least a login site and
brochureware that is publicly available. HTTP requests to the site are
also generally logged to a Web log. From an attacker point of view,
standard HTTP requests containing a malicious payload can be sent to the
public website (with no other access required), when those requests
appear in the log (such as http://victimsite/index.html?< malicious
script> if they are followed by an administrator this may be
sufficient to probe the administrator's host or local network.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To input faked entries into Web logs
Resources Required
Ability to send specially formatted HTTP request to web server
Solutions and Mitigations
Design: Use input validation before writing to web log
Design: Validate all log data before it is output
Attack Motivation-Consequences
Scope
Technical Impact
Note
Integrity
Modify application
data
Injection Vector
Forged log entry delivered through HTTP Request.
Payload
HTTP request
Activation Zone
Web log, log reporting systems
Payload Activation Impact
Description
Log data contains data designed to trick administrators and auditors as to
chain of events. Limit ability to conduct forensics and other
investigations/responses.
Description
