Log Forging: What It Is And How To Fix It!

Sandeep Tanwani_avatar
Sandeep Tanwani
Aug 25, 2022 | 5 min read

What Is Log Forging?

Log forging (a special category of log injection) refers to the technique of using the system to print fraudulent or fake logs. According to The Open Web Application Security Project (OWASP), log forging is one of the most common attack methods. It entails writing unvalidated user input to log files to allow an attacker to insert malicious content into the logs or forge log entries. An attacker tries to tamper with the record content by exploring the security vulnerabilities of the application. Typically, log forging attacks target specific applications with logging functions like PHP secure log, which provides only limited logging capabilities and does not have any HTTPS protocol support.

While you may be tempted to overlook this threat, log forging attacks can lead to serious repercussions such as identity theft and financial loss if not handled appropriately. Furthermore, the attack can also be used for malicious purposes like manipulating audit logs to conceal illicit activities, etc.

Log Forging Example

Consider a scenario where a user updates pharmacy details from the web. After the application processes this request, an entry with the username is logged:

private final Logger logger = LoggerFactory.getLogger(LogForgingDemo.class);

public void addLog( String username ) {
    logger.info( "Pharmacy details updated successfully by “ + username );
}

public static void main( String[] args ) {
    LogForgingDemo demo = new LogForgingDemo();
    demo.addLog( "Sandeep" );
}

If we look at the console, it will show something like this:

web - 2022-08-12 17:45:29,977 [main] INFO  com.logforging.LogForgingDemo - Pharmacy details updated successfully by Sandeep

Now, suppose an attacker provides the input as “\n\nweb – 2022-08-12 17:52:15,123 [main] INFO [Forged Entry] Pharmacy details updated successfully by Admin”, then the log will be:

web - 2022-08-12 17:52:14,123 [main] INFO com.logforging.LogForgingDemo - Pharmacy details updated successfully by Sandeep
web - 2022-08-12 17:52:15,123 [main] INFO [Forged Entry] Pharmacy details updated successfully by Admin

Intentionally, the attacker has been able to create a forged entry in the application log, which corrupts the value of the logs and confuses any audit-type activities in the future.

This is the basic idea of log forging. An attacker can also impersonate any user just by modifying the username parameter in the request in the above example. There is also a possibility of cross-site scripting (XSS) and other attacks since the logs may be directly rendered in the browser by a web based log application/log viewer. This could give the attacker access to the cookies and other sensitive information of the admin user.

How We Detect Log Forging Vulnerabilities At Medly

At Medly, we have always understood the vulnerabilities of the system and have investigated various risk-mitigation strategies. Currently, we do the following to avoid log forging:

  • We use various automated Static Application Security Testing (SAST) tools such as Snyk, Semgrep, etc., to identify log forging attacks.
  • We perform manual code reviews to verify that no sensitive data (such as PHI) gets stored in the logs. Manual code reviews also help us to ensure that all the user-supplied information is adequately escaped before logging.

Our Recommendations To Fix Log Forging

The risk increases dramatically if your program is open source and susceptible to log forging. An attacker can examine the code to determine the logged user input and how it should be formatted. Based on our study, we recommend the following risk-reduction techniques against log forging.

Log4j

Log4j has built-in mechanisms to help prevent log forging. There is a placeholder called encode that can be used to automatically encode new lines when configuring the log pattern in the log config file.

log4j.appender.stdout.layout.ConversionPattern=%encode{%m}%n

Custom Code to convert CRLF characters:

Java Code Snippet:

	/**
	 * To prevent log injection attacks, replace any carriage returns and line feeds with an underscore.
	 *
	 * @param value
	 *            string to convert
	 * @return converted string
	 */
	public static String replaceCRLFWithUnderscore(String value) {
		return value.replace('\n', '_').replace('\r', '_');
	}
}

Kotlin Code Snippet:

fun String.replaceCRLFWithUnderscore() = this .replace('\n', '_').replace('\r', '_')

Concluding Thoughts

We, at Medly, maintain stringent security standards and keep up with current technology trends to remain protected from security threats like log forging. Manual code reviews and the usage of SAST tools such as Snyk are just a few of the methods Medly employs to combat log forging attacks. Having said that, we continue to adapt and learn about new technologies and methods to keep security risks at bay.

We hope this blog was helpful in understanding log forging, its impact, and possible solutions and will help you avoid this type of attack and protect the integrity of your business data. Stay tuned as we keep bringing to you more interesting tech-related blogs. Alternatively, if you want to learn more about Medly, please visit our website at Medly.com.