1. Overview
1.概述
In this quick article, we’ll explore one of the most common security issues in JVM world – Log Forging. We’ll also show an example technique that can protect us from this security concern.
在这篇文章中,我们将探讨JVM世界中最常见的安全问题之一–日志伪造。我们还将展示一个可以保护我们免受这一安全问题影响的技术实例。
2. What Is Log Forging?
2.什么是日志锻造?
According to OWASP, log forging is one of the most common attack techniques.
根据OWASP,日志伪造是最常见的攻击技术之一。
Log forging vulnerabilities occur when data enters an application from an untrusted source or the data is written to an application/system log file by some external entity.
当数据从一个不受信任的来源进入一个应用程序,或者数据被一些外部实体写入一个应用程序/系统的日志文件时,就会出现日志伪造漏洞。
As per OWASP guidelines log forging or injection is a technique of writing unvalidated user input to log files so that it can allow an attacker to forge log entries or inject malicious content into the logs.
根据OWASP指南,日志伪造或注入是一种将未经验证的用户输入写入日志文件的技术,这样可以让攻击者伪造日志条目或向日志中注入恶意内容。
Simply put, by log forging, an attacker tries to add/modify record content by exploring security loopholes in the application.
简单地说,通过日志伪造,攻击者试图通过探索应用程序的安全漏洞来增加/修改记录内容。
3. Example
3.实例
Consider an example where a user submits a payment request from the web. From the application level, once this request gets processed, one entry will be logged with the amount:
考虑一个例子,一个用户从网上提交了一个支付请求。从应用层面来看,一旦这个请求被处理,一个条目将被记录下金额。
private final Logger logger
= LoggerFactory.getLogger(LogForgingDemo.class);
public void addLog( String amount ) {
logger.info( "Amount credited = {}" , amount );
}
public static void main( String[] args ) {
LogForgingDemo demo = new LogForgingDemo();
demo.addLog( "300" );
}If we look at the console, we will see something like this:
如果我们看一下控制台,我们会看到像这样的东西。
web - 2017-04-12 17:45:29,978 [main]
INFO com.baeldung.logforging.LogForgingDemo - Amount credited = 300Now, suppose an attacker provide the input as “\n\nweb – 2017-04-12 17:47:08,957 [main] INFO Amount reversed successfully”, then the log will be:
现在,假设攻击者提供的输入是“\n\nweb – 2017-04-12 17:47:08,957 [main] INFO Amount reversed successfully”,那么日志将是。
web - 2017-04-12 17:52:14,124 [main] INFO com.baeldung.logforging.
LogForgingDemo - Amount credited = 300
web - 2017-04-12 17:47:08,957 [main] INFO Amount reversed successfullyIntentionally, the attacker has been able to create a forged entry in the application log which corrupted the value of the logs and confuses any audit type activities in future. This is the essence of log forging.
攻击者有意在应用程序日志中创建一个伪造的条目,破坏了日志的价值,混淆了未来的任何审计类型的活动。这就是日志伪造的本质。
4. Prevention
4.预防
The most obvious solution is not to write any user input into log files.
最明显的解决方案是不将任何用户输入写入日志文件中。
But, that might not be possible in all circumstances since the user given data is necessary for debugging or audit the application activity in future.
但是,这可能不是在所有情况下都能做到的,因为用户提供的数据对于将来调试或审计应用程序的活动是必要的。
We have to use some other alternative for tackling this kind of scenario.
我们必须使用一些其他的方法来解决这种情况。
4.1. Introduce Validation
4.1.引入验证
One of the easiest solutions is always validating the input before logging. One problem with this approach is that we will have to validate a lot of data at runtime which will impact the overall system performance.
最简单的解决方案之一是在记录之前总是验证输入。这种方法的一个问题是,我们将不得不在运行时验证大量的数据,这将影响整个系统的性能。
Also, if the validation fails, the data will not be logged and become lost forever which is often not an acceptable scenario.
此外,如果验证失败,数据将不会被记录下来,并成为永远的损失,这通常不是一个可以接受的情况。
4.2. Database Logging
4.2.数据库日志记录
Another option is to log the data into the database. That is more secure than the other approach since ‘\n’ or newline means nothing to this context. However, this will raise another performance concern since a massive number of database connections will be used for logging user data.
另一个选择是将数据记录到数据库中。这比其他方法更安全,因为‘\n’或换行对这种情况没有意义。然而,这将引起另一个性能问题,因为大量的数据库连接将被用于记录用户数据。
What’s more, this technique introduces another security vulnerability – namely SQL Injection. To tackle this, we might end up writing many extra lines of code.
更重要的是,这种技术引入了另一个安全漏洞 – 即SQL注入。为了解决这个问题,我们可能最终要写很多额外的代码行。
4.3. ESAPI
4.3.ESAPI
Using ESAPI is the most shared and advisable technique as per this context. Here, each and every user data is encoded before writing into the logs. ESAPI is an open source API available from OWASP:
在这种情况下,使用ESAPI是最共享和最可取的技术。在这里,每一个用户数据在写进日志之前都被编码。ESAPI是一个开源的API,可从OWASP获得。
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.0.0</version>
</dependency>It’s available in the Central Maven Repository.
它在Central Maven Repository中可用。
We can encode the data using ESAPI‘s Encoder interface:
我们可以使用ESAPI的Encoder接口对数据进行编码。
public String encode(String message) {
message = message.replace( '\n' , '_' ).replace( '\r' , '_' )
.replace( '\t' , '_' );
message = ESAPI.encoder().encodeForHTML( message );
return message;
}Here, we have created one wrapper method which replaces all carriage returns and line feeds with underscores and encodes the modified message.
在这里,我们创建了一个包装方法,用下划线替换所有回车和换行,并对修改后的信息进行编码。
In the earlier example if we encode the message using this wrapper function the log should look something like this:
在前面的例子中,如果我们用这个封装函数对信息进行编码,那么日志应该是这样的。
web - 2017-04-12 18:15:58,528 [main] INFO com.baeldung.logforging.
LogForgingDemo - Amount credited = 300
__web - 2017-04-12 17:47:08,957 [main] INFO Amount reversed successfullyHere, the corrupted string fragment is encoded and can be easily identified.
在这里,被破坏的字符串片段被编码,可以很容易地被识别。
Once important point to note is that to use ESAPI we need to include ESAPI.properties file in the classpath else the ESAPI API will throw an exception at runtime. It’s available here.
需要注意的一点是,要使用ESAPI,我们需要在classpath中包含ESAPI.properties文件,否则ESAPIAPI会在运行时抛出一个异常。它可以在这里。
5. Conclusion
5.结论
In this quick tutorial, we learned about log forging and techniques to overcome this security concern.
在这个快速教程中,我们了解了日志伪造和克服这一安全问题的技术。
Like always, the full source code is available on over on GitHub.
像往常一样,完整的源代码可以在GitHub上找到。