AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Credential Exposure Log Files

Attackers can reveal user or service account credentials in log files of the application

Severity

High

Fix Cost

Low

Trust Level

Low

Logging is an important aspect of programming. Log entries produced at runtime help developers to quickly analyze the bugs without too much effort. Additionally operation teams can recognize abnormal behaviors by analyzing the log entries.

Therefore, however at first the privacy of the log files may seem unnecessary, they contain sensitive information especially if no masking was performed when logging.

The code that produces a log entry may look like the following;

                                     
var pass = Request[“pass”];
logger.warn("Failed authentication for: "+ Request["uname"] + “-” + pass);
                  
            

Here, the developer produces a warning log entry when the authentication for a user fails, for example, when a wrong password is provided. As you can see along with the username the password is also logged. If, somehow, these log files are distributed to a 3rd party team for a bugfix analysis, plaintext passwords will be exposed, too.

Logging is an important aspect of programming. Log entries produced at runtime help developers to quickly analyze the bugs without too much effort. Additionally operation teams can recognize abnormal behaviors by analyzing the log entries.

Therefore, however at first the privacy of the log files may seem unnecessary, they contain sensitive information especially if no masking was performed when logging.

The code that produces a log entry may look like the following;


String uname = request.getParameter("uname");
String pass = request.getParameter("pass");
Logger.info("Failed authentication for: " + uname + " - " + pass);
    

Here, the developer produces a warning log entry when the authentication for a user fails, for example, when a wrong password is provided. As you can see along with the username the password is also logged. If, somehow, these log files are distributed to a 3rd party team for a bugfix analysis, plaintext passwords will be exposed, too.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!