CAPEC-93: Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.
Last updated
Overview
CAPEC-93 (Log Injection-Tampering-Forging) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine Application's Log File Format] The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.
- Determine logging utility being used by application (e.g. log4j)
- Gain access to application's source code to determine log file formats.
- Install or obtain access to instance of application and observe its log file format.
- Step 2Exploit
[Manipulate Log Files] The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.
What the attacker needs
Prerequisites
- The target host is logging the action and data of the user.
- The target host insufficiently protects access to the logs or logging mechanisms.
Skills required
- Low skill: This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.
- Medium skill: A more sophisticated attack can try to defeat the input validation mechanism.
Consequences
What a successful CAPEC-93 attack can achieve.
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-93.
- Carefully control access to physical log files.
- Do not allow tainted data to be written in the log file without prior input validation. An allowlist may be used to properly validate the data.
- Use synchronization to control the flow of execution.
- Use static analysis tools to identify log forging vulnerabilities.
- Avoid viewing logs with tools that may interpret control characters in the file, such as command-line shells.
Examples
Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. See also: CVE-2006-0201
If a user submits the string "twenty-one" for val, the following entry is logged: INFO: Failed to parse val=twenty-one However, if an attacker submits the string twenty-one%0a%0aINFO:+User+logged+out%3dbadguy the following entry is logged: INFO: Failed to parse val=twenty-one INFO: User logged out=badguy Clearly, attackers can use this same mechanism to insert arbitrary log entries.
Frequently asked questions
Common questions about CAPEC-93.
- What is CAPEC-93?
- This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.
- How does a Log Injection-Tampering-Forging attack work?
- It typically unfolds over 2 phases. It begins with: [Determine Application's Log File Format] The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.
- How do you prevent CAPEC-93?
- Carefully control access to physical log files.
- What weaknesses does CAPEC-93 target?
- CAPEC-93 exploits 3 CWE weaknesses, including CWE-75 (Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)), CWE-117 (Improper Output Neutralization for Logs), CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences).
- How severe is CAPEC-93?
- MITRE rates CAPEC-93 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-93
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.