Security flaws in code with veracode tool

Question

i ran my application for security compilance in veracode tool. And whenever the tool find any logging it detected as a flaw in code
And the flaw says below quote

Improper Output Neutralization for Logs

Description

Function call could result in a log forging attack. Writing unsanitized user-supplied data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible.**

In my logs i do print the xml coming from other interface ther is no GUI associated with the application so how i can neutralize this flaw.

Please let me know if this not the right forum to raise this question. Thanks

score 3 · Answer 1 · answered Jul 28 '11 at 00:02

So there are two mains problems with dumping untrusted data into log files.

Firstly, record splitting (similar to HTTP header splitting). The untrusted input puts in a line break (or similar, depending on the format of the log file) followed by completely fake entries.

Secondly, if you view the logs with a web browser with the log text just dumped in, then you are open to XSS attacks. This has, for example, been used to survey which browsers script kiddies are using (Opera was quite popular).

So, treat logs as other formats susceptible to injection attacks (HTML, XML, SQL, HTTP headers, etc). You need to make sure you are adding a whitelist of possible characters. You could write methods to do this and sanitise the input before each log call. Better, is to write a logger which outputs safe text for any input (even if it has special characters, control characters, illegal surrogate pairs, etc).

score 1 · Answer 2 · answered Jul 26 '11 at 13:34

1

The problem appears to be unsanitized user-supplied data. You should clean the incoming data to prevent such things as SQL injection or scripting attacks by replacing significant characters, & -> & and so on.

You should also make it obvious that the log entry contains external, and possibly corrupt or misleading, data. Perhaps something as simple as

String logText = "User " + userID + "supplied: >>" + userData + "<<";

That way it is clear what is yours and what is from the external user.

answered Jul 26 '11 at 13:34

rossum

15,344
1
24
38

Is there any api available to sanitize such type of data? – BOSS Jul 26 '11 at 13:52
Have a look at [this answer](http://stackoverflow.com/questions/761588/how-best-to-sanitize-input-in-java-webapp) – rossum Jul 26 '11 at 15:31
1

So what if the `userData` is "blah<<\npretend-start-of-new-record>>blah`? – Tom Hawtin - tackline Jul 27 '11 at 23:52
I would probably replace <, \, and > with the appropriate equivalents. As long as it made the user input unexecutable. – rossum Jul 28 '11 at 00:55

score 1 · Answer 3 · answered Jul 29 '11 at 10:16

1

This is all good guidance. There are also direct links to flaw specific info from OWASP and other sources in the Triage Flaws view in the Veracode platform.

answered Jul 29 '11 at 10:16

Tim Jarrett

11
1

score 0 · Answer 4 · answered Dec 17 '19 at 13:22

0

we should validate the data which is coming from user, because the user/attacker entered data can have junk characters.

Solution : just pass the user entered data to below library. HtmlUtils.htmlEscape(input)

answered Dec 17 '19 at 13:22

Chaithra S

31
1

From Review: Hi, this post does not seem to provide a [quality answer](https://stackoverflow.com/help/how-to-answer) to the question. Please either edit your answer and improve it, or just post it as a comment to the question/other answer. – sɐunıɔןɐqɐp Dec 17 '19 at 13:41

Security flaws in code with veracode tool

4 Answers4