How To Test For Log Injection

Testing For Log Injection

If you are not already familiar with the concept of Log Injection, we suggest that you review the article entitled “What Is Log Injection ?“.

You should consider testing for Log Injection in any circumstance that user supplied input is written to log files.  In white-box testing scenarios, you will need to examine application log files.  Log Injection is typically not in-scope during black-box scenarios, unless there is some means by which log files can be examined during testing.

Testing For Log Injection

The following characters (and other representations) are of interest in crafting malicious input for the purposes of forging logs:

Character Meaning
\n Newline
\r Carriage Return
0x08 (octal 8) Backspace

Fuzzing application inputs with these characters embedded within will potentially produce noticeable results in application log file(s).  Sample test strings would include:

value\n\rForged Entry  or &param=value%D%AForged%20Entry

A successful search for the Regular Expression “^Forged Entry$” in the application log files would be indicative of a Log Injection application vulnerability.

For insight into how to avoid or fix LDAP Injection vulnerabilities, please see the article entitled “How To Prevent Log Injection“.

About Affinity IT Security

We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and/or to train your developers and testers. Contact us to learn how to partner with us to protect your enterprise.

Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.