[Determine Application Web Server Log File Format] The attacker observes the system and looks for indicators of which logging utility is being used by the web server.
[Determine Injectable Content] The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.
[Manipulate Log Files] The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.
Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.
For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters.
Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.
For example: The HTTP request for "/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] "GET /forged-path HTTP/1.1" 200 - "-" USER_AGENT" may add the log line into Apache "access_log" (for example). Different applications may require different encodings of the carriage return and line feed characters.
Weakness Name | |
---|---|
Improper Output Neutralization for Logs The product does not neutralize or incorrectly neutralizes output that is written to logs. |
|
Improper Neutralization of CRLF Sequences ('CRLF Injection') The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
|
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) The product does not adequately filter user-controlled input for special elements with control implications. |
|
Information Loss or Omission The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis. |
|
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template. |
|
Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
|
Improper Neutralization of Escape, Meta, or Control Sequences The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. |
|
Incorrect Default Permissions During installation, installed file permissions are set to allow anyone to modify those files. |
|
Incorrect Execution-Assigned Permissions While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user. |
|
Improper Encoding or Escaping of Output The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Name | Organization | Date | Date Release |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation |
Name | Organization | Date | Comment |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
CAPEC Content Team | The MITRE Corporation | Updated Related_Weaknesses | |
CAPEC Content Team | The MITRE Corporation | Updated @Name |