Name Web Server Logs Tampering
Summary Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.
Prerequisites Target server software must be a HTTP server that performs web logging.
Execution Flow
Step Phase Description Techniques
1 Explore [Determine Application Web Server Log File Format] The attacker observes the system and looks for indicators of which logging utility is being used by the web server.
  • Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.
2 Experiment [Determine Injectable Content] The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.
  • Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.
3 Exploit [Manipulate Log Files] The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.
  • Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters.
  • Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters.
  • Directly through log file or database manipulation, modify existing log entries.
Solutions Design: Use input validation before writing to web log Design: Validate all log data before it is output
Related Weaknesses
CWE ID Description
CWE-20 Improper Input Validation
CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-116 Improper Encoding or Escaping of Output
CWE-117 Improper Output Neutralization for Logs
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences
CWE-221 Information Loss or Omission
CWE-276 Incorrect Default Permissions
CWE-279 Incorrect Execution-Assigned Permissions
Related CAPECS
CAPEC ID Description
CAPEC-268 The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.