CRLF Injection in Logs
Description
When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content. Inserted false entries could be used to skew statistics, distract the administrator or even to implicate another party in the commission of a malicious act. If the log file is processed automatically, the attacker can render the file unusable by corrupting the format of the file or injecting unexpected characters. An attacker may also inject code or other commands into the log file and take advantage of a vulnerability in the log processing utility (e.g. command injection or XSS).
Examples
Insecure Code
logger.log("User input: " + request.getParameter("input"))Secure Code
logger.log("User input: " + org.owasp.encoder.Encode.forUriComponent(request.getParameter("input")))Remediation
Neutralize CRLF sequences in user input before logging it. Use a logging library that automatically escapes special characters or use a function like org.owasp.encoder.Encode.forUriComponent to encode user input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0041 |
| Category | Logging |
| Severity | HIGH |
| CWE | CWE-93 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | crlf injection, logging vulnerability |
| OWASP | N/A |