InjectionAttacks-Log injection

InjectionAttacks-Log injection (also called Log file injection)

Many applications maintain a series of logs for authorized users and displayed on the HTML interface. as a result, they become the primary targets of attackers who attempt to disguise other attacks and mislead Log readers, even users who read and analyze log monitoring applications install subsequent attack programs.

The log vulnerability depends on the control of the log writing process and whether the log entries are monitored or analyzed. the log data is considered as an untrusted data source.

A simple log system may use the file putcontents () function to write text lines to the file. For example, a programmer may use strings in the following format to record logon failures:

sprintf("Failed login attempt by %s", $username);  

What if attackers use a user name in the form of "AdminnSuccessful login by Adminn?

If you insert this string from an untrusted input into the log, the attacker can successfully disguise the failed logon as an administrator user's innocent logon failure. If a retry is successfully added, the data reliability is even higher.

Of course, the focus is that attackers can add various log entries, inject XSS vectors, and even inject characters to disrupt the display of log entries on the console.

Purpose of log injection

The injection target may also be a log format interpreter. If the analyzer tool parses log entries using regular expressions and splits them into data fields, the injected string can be constructed to ensure that the regular expression matches the injected redundant fields, not the correct field. For example, the following entries may cause problems:

$username = "iamnothacker! at Mon Jan 01 00:00:00 +1000 2009"; sprintf("Failed login attempt by $s at $s", $username, )

Even more attackers who use log injection may try to create directory traversal attacks so that logs can appear in the browser. Under normal circumstances, PHP code can be injected into the log message and the log file can be opened in the browser. attackers can design and execute such code injection at will. There is no need to talk about this. If attackers can execute PHP on the server, the problem will be high. at this time, your system should have enough in-depth defense to minimize the damage.

Defense against log injection

The simplest log injection defense method is to clear all outbound log messages using the recognized character whitelist. For example, we can limit all logs to letters, numbers, and spaces. Messages that do not belong to this character list may be considered harmful messages, and then log messages about potential local inclusion vulnerabilities (LFI) may appear to inform you of possible attempts by attackers. This method is simple and suitable for simple text logs. Such log messages cannot avoid the emergence of untrusted input.

The second type of defense is to encode the untrusted input part into base64-like encoding, which stores a limited number of recognized character descriptions and stores a large amount of information in the text.

Path Traversal (also called directory traversal)

Path Traversal (also called directory traversal) attacks attempt to affect backend operations by reading or writing web application files. the method is to inject parameters that can control the file path used by backend operations. As a result, such attacks can be successful by promoting information disclosure and local/remote file injection.

We will describe these subsequent attacks separately, but Path Traversal is one of the fundamental vulnerabilities that can be achieved by these attacks. Although the following functions are specific to file path manipulation, it is worth mentioning that many PHP functions not only accept simple file paths. For example, the include () or file () functions in PHP can accept URIs. This seems to be against common sense, but it makes the following two function call methods that use absolute file paths (that is, they do not rely on automatic loading of related file paths) bring the same effect.

include(‘/var/www/vendor/library/Class.php’); include(‘file:///var/www/vendor/library/Class.php‘);  

The key is that, while processing the relevant path (php. ini and include_path settings available for the auto-loader). similar PHP functions are especially vulnerable in various forms of parameter control, this includes file URI solution replacement-once the file path is initially injected with untrusted data, attackers can inject HTTP or ftp uri. We will further elaborate on this point in the remote file inclusion attack, and continue to explore the file system Path Traversal problem.

The various situations of Path Traversal defects share a common feature, that is, the file path points to different files due to being manipulated. This is usually done by injecting a series of parameters .. /(dot-diagonal line) sequence, the above parameters are added or inserted to include (), require (), file_get_contents () and other functions, in some functions, such as DOMDocument: load ().

The dot-diagonal line sequence allows attackers to navigate the system or trace back to the parent directory. Therefore, paths such as/var/www/public/../vendor actually point to/var/www/public/vendor. The dot-diagonal line sequence after/public will be traced back to the parent directory of the Directory, that is,/var/www. From this simple example, attackers can read files outside the/public directory accessible through the website server.

Of course, Path Traversal is not only used for backtracking. Attackers can also inject new path elements to access subdirectories that cannot be accessed through a browser. the reason for the unavailability may be the subdirectory or the deny from all command in. htaccess in one of its parent directories. PHP file system operations do not consider how Apache or other website service providers configure and control non-public file and directory entries.

Path Traversal example defense Path Traversal estimation

[Injection Attacks] (http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html#log-injection-also-log-file-injection)

This article is compiled by OneAPM engineers. OneAPM is an emerging leader in the application performance management field. it helps enterprise users and developers easily achieve slow real-time crawling of program code and SQL statements. For more technical articles, visit the official OneAPM blog.