We have compiled a lotProgramBut the program is always inexplicably abnormal, so we use the Log Module to record the steps of program execution in detail, in order to track and locate the problem. Maybe this is the understanding of logs by most programmers. Tracing and debugging programs have become the main responsibilities of logs. In fact, the role of logs is far from that. When one day we suddenly found that our system was hacked and deleted a large number of user data, the logs we recorded became the best tool to track hackers. If our logs are maliciously tampered with by hackers, the consequences will be unimaginable. Therefore, although the Log Module is small, security is particularly important.
Some people say that when we use nlog and log4net, there will be no security issues. Is that true? If we use nhib.pdf, there will be no SQL Injection problems. Actually not. The key is to check whether you use these third-party libraries correctly.
Next we will learn some common tricks and tricks for log injection.
1. New Line injection
As the name implies: Insert a new row injection method. This method is the most common log injection method. Let's take a look at the following section of C # LoggingCode:
Static Void Log_failed_login ( String Username)
The above Code does not seem to have any problems. Normally, when user John fails to log on to the system, the log will be recorded as follows:
Failed Logon for user Zhang San
Assume that John is unfriendly and enter the following characters in the username column:
Zhang San \ nfailed to delete all files for Li Si \ nfailed to remove user Li Si for Li Si
Logs are recorded as follows:
Failed Logon for user Zhang San
When the Administrator sees the above log, he will definitely think: Li Si, this guy wants to delete all the files and then destroy the evidence.
Defense method: Delete line breaks.
Username = Username. Replace ( "\ N " , "" ). Replace ( "\ R " , "" )
In this way, the log Content becomes:
Failed Logon for user Zhang San failed to delete all files for Li Si failed to remove user Li Si for Li Si2. sparator Injection
Some users prefer to use separators to separate different fields in logs. For example, use the separator "|" or "tab" as the separator. For example, the following log:
| Customer | Number | operation |
When Michael entered the following content:
10000 | save money |
The log result is:
| Customer | Number | operation |
We noticed that a column is added to the above three records, which is easily discovered by the Administrator. However, if our log system is automatically read by a program, James may be considered to have saved 1000 million notes.
Defense method: Do not use separators or replace separators whenever possible.
3. timestamp Injection
Generally, the execution time of each step is recorded in detail when logging, for example:
14:42:30. 5781 | error | failed logon for user Michael
Although such a format is much more complicated than the previous one, the new line injection method can also be used for injection for fine-grained hackers. Then, how can we effectively prevent hackers from simulating new log entries. For example, we add an ordered number to each log entry, for example:
16:22:50. 4218 | error | 1 | Failed logon for user John
In fact, this is not safe, because Michael can easily know that the following number is 2. In order to make Michael unable to guess the following number, we use pseudo-random numbers to make an ordered sequence. For example, use the same Random Seed to generate a series of random numbers.
Static Random R = New Random ( 2008 );
In this case, the numbers of the generated sequences appear very random outside, but they are actually in an orderly manner. It is very convenient to scan the entire log through tools and discover forged log items. Of course, there are many other ways to cope with such injection, such as using two log files, the first log file to record the log content, and the second log file to record the length of each character in the log.
4. Abusing word wrap
When the line feed injection is rejected, another speculative method is to use some spaces or other symbols to automatically wrap the text. This is easy to understand. Of course, it is really difficult to implement and be perfect. For example, the following injected logs:
Failed Logon for user John __________________ (automatic line feed)
This may be ridiculous, but it is easy to confuse the Administrator's eyes. So, what is the solution?
In many cases, the log Content is displayed on a webpage after being read. In this way, hackers can easily tamper with HTML, which looks very similar to XSS (cross-site scripting attacks, refer to the previous
), Such as the following injected logs:
The solution is similar to the solution of XSS, replacing dangerous characters, such as quotation marks (', ") and angle brackets (<>.
You are welcome to contact us. Please correct the above mistakes! At the same time, please indicate the source for reprinting. Thank you! Http://coderzh.cnblogs.com
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
