CAPEC-81 - Web Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 2
  • Modification of Resources
  • Time and State
  • Purposes 1
  • Obfuscation
  • Scopes 1
  • Modify application data
  • Integrity

Low level: To input faked entries into Web logs

Target server software must be a HTTP server that performs web logging.

Ability to send specially formatted HTTP request to web server

Step 1 - Determine Application Web Server Log File Format

The attacker observes the system and looks for indicators of which logging utility is being used by the web server..

Tecnique ID: 1 - Environment(s) env-Web

Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.

Outcome ID: 1

Type: Success

Attacker determines log file format used by application web server.

Outcome ID: 2

Type: Inconclusive

Attacker cannot conclusively determine log file format; he/she can only guess what the format is.



Step 1 - Determine Injectable Content

The attacker launches various logged actions with malicious data to determine what sort of log injection is possible..

Tecnique ID: 1 - Environment(s) env-Web

Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.

Outcome ID: 1

Type: Success

Attacker observes content successfully injected into web logs.

Outcome ID: 2

Type: Inconclusive

Attacker lacks capability to observe if content was successfully injected into web logs.



Step 1 - Manipulate Log Files

The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack..

Tecnique ID: 1 - Environment(s) env-Web

Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.

Tecnique ID: 2 - Environment(s) env-Web

Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.

Tecnique ID: 3 - Environment(s) env-Web

Directly through log file or database manipulation, modify existing log entries.

Security Control ID: 1

Type: Preventative

Input validation to ensure that only legal characters supplied by users can be entered into log files

Security Control ID: 2

Type: Preventative

Encode information from user such that any unexpected characters are encoded safely before they are entered into log files.

Security Control ID: 3

Type: Preventative

Post-processing of log files to remove or encode dangerous characters before displaying to a user may help in some cases. It will not help remove fake log entries entered using carriage return and line feed characters, however.


Outcome ID: 1

Type: Success

Forged entry or other malicious data inserted into application's logs.

Outcome ID: 2

Type: Failure

No entry inserted into logs, or the entry is visibly distinguishable from real entries.



Design: Use input validation before writing to web log

Design: Validate all log data before it is output