0

I am dealing with the log forging issue for the code :

log.error("Request: " + req.getRequestURL() + " raised " + exception);

This element’s value (req.getRequestURL()) flows through the code without being properly sanitized or validated, and is eventually used in writing an audit log in handleError

I tried to remove the \n\r characters but with no success.

I have gone through different sites searching for the same but did not find the helpful content. Can anyone please explain the solution for this or a small guide to fix it.

Thanks

Svetlin Zarev
  • 14,713
  • 4
  • 53
  • 82
AKS
  • 700
  • 6
  • 7
  • How did you try to remove the \n\r characters? – Kayaman Dec 10 '14 at 09:52
  • req.getRequestURL() is returning StringBuffer so first converted into the string and then called replace() method on it. String sb = req.getRequestURL().toString(); sb = sb.replace("\n\r", "") ; – AKS Dec 10 '14 at 10:51
  • Are you forgetting URL encoding? – Kayaman Dec 10 '14 at 11:33
  • Hi Kayaman Do u mean : URLEncoder.encode(sb) ; I had searched for this and referd the site http://www.mkyong.com/java/how-to-encode-a-url-string-or-form-parameter-in-java/ but that code was rejected by my higher member :( :( – AKS Dec 10 '14 at 13:10

1 Answers1

1

Use ESAPI library to protect log forging attack. Refer to http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/ for code reference.

String clean = message.replace( '\n', '_' ).replace( '\r', '_' );
if ( ESAPI.securityConfiguration().getLogEncodingRequired() ) {
    clean = ESAPI.encoder().encodeForHTML(message);
    if (!message.equals(clean)) {
        clean += " (Encoded)";
    }
}
LONGHORN007
  • 526
  • 9
  • 24