Highest Voted 'log-forging' Questions

12

votes

4 answers

log forging fortify fix

I am using Fortify SCA to find the security issues in my application (as a university homework). I have encountered some 'Log Forging' issues which I am not able to get rid off. Basically, I log some values that come as user input from a web…

asked Oct 08 '12 at 15:25

Alina Danila

1,683
1
24
60

9

votes

3 answers

How to avoid CRLF (Carriage Return and Line Feed) in Logback - CWE 117

I'm using Logback and I need to avoid CRLF(Carriage Return and Line Feed) when I log a user parameter. I tried to add my class, which extends ClassicConverter, on the static map PatternLayout.defaultConverterMap but It didn't work. Thank you,

security logback carriage-return linefeed log-forging

asked Jan 15 '15 at 17:22

user3551863

301
3
7

8

votes

4 answers

Can't resolve Log Forging Fortify issue

I am having trouble fixing a Log Forging issue in Fortify. The issue, "writes unvalidated user input to the log", is being raised from both of the logging calls in the getLongFromTimestamp() method. public long getLongFromTimestamp(final String…

java fortify log-forging

asked May 29 '15 at 19:12

Brian Redd

414
1
5
12

3

votes

2 answers

Fortify Log Forging Issue

We are scanning our .NET application with Fortify and need to provide some information on why Log Forging issue does not apply to us. In our code we have the following pattern, of course it is not exactly as is, I've captured the essence of what…

logging fortify log-forging

asked Mar 14 '15 at 19:14

N. Kaufman

81
1
2
9

2

votes

1 answer

Log forging in checkmarx scan in java

Log forging in checkmarx scan in Java How to resolve log forging for Java in a checkmarx scan. I tried sanitizing input before putting in the log file. But, it still complains validate or sanitize the input before logging. Please help me to resolve…

java cicd checkmarx secure-coding log-forging

asked May 08 '20 at 03:07

gautham

87
2
12

2

votes

2 answers

Log forging prevention with logback

How can logback (that uses the pattern layout) be secured against log forging attacks ? Is there a configuration property that tells logabck to escape certain reserved characters ? PS: The ideal solution would be to decorate each converter with…

java logging logback log-forging

asked Nov 01 '16 at 07:17

Svetlin Zarev

14,713
4
53
82

1

vote

0 answers

checkmarx cannot see the code in static method

Checkmarx does not understand static method. String journeyId = request.getHeader("JOURNEY_ID"); journeyId = LogUtils.getUserInputText(journeyId); LOGGER.info("journeyId=" + journeyId); For the code above, Checkmarx always complains there is Log…

java checkmarx secure-coding log-forging

asked Jun 23 '20 at 03:51

Yao Dong

113
1
3
11

1

vote

1 answer

Log forging issues in fortify report

I have generated a Fortify report for my application. In a Fortify report it is showing Log forging issues in the below code: holDate = ((MaintainHolidayCalenderForm) form).getCALENDER_DATE(); logger.info("This is some description" + holDate +…

java fortify log-forging

asked Jun 26 '14 at 10:41

navi1401

21
1
4

0

votes

2 answers

How to resolve security audit finding log injection in java spring boot application

I am trying to get the exception details by logging it using lombok extern Slf4j. But found an issue in coverity scan as below. This is a security audit finding. CID 227846 (#1 of 1): Log injection (LOG_INJECTION). A tainted string ex is stored in…

log4j slf4j lombok esapi log-forging

asked Dec 22 '21 at 11:51

Sripada A

3
2

0

votes

1 answer

Escape HTML in logback

We have a Spring project using Logback with SLF4J. I have been working on building Log Forging prevention in our project. I have used owasp.security-logging-logback to replace CRLF characters in the log. pattern: %d ${LOG_LEVEL_PATTERN:-%5p}…

logging logback slf4j log-forging

asked Aug 04 '21 at 05:22

Adnan Arif Sait

111
7

0

votes

3 answers

Fortify SCA scan reports Log Forging issue while reading environment variables

I used System.getenv("envVariableName") and it threw me a Log Forging issue. I, even, tried encoding the returned String using ESAPI encoder but it didn't help. My code snippet: String envValue = encode(System.getenv("envVariableName")); String…

logging environment-variables fortify esapi log-forging

asked Apr 26 '19 at 06:27

Aman Agarwal

21
7

0

votes

0 answers

Log Forging in C#

Our Product is gone through Security Testing .They have given some references from code for Log Forging. One of those is : DataRow dr = new DataRow(); var data=Convert.ToString(dataRow["ColumnName"]); // <-- I have Google, but got that if any…

c# log-forging

asked Sep 05 '18 at 05:45

Jumbo

35
8

0

votes

1 answer

Log forging with the request object

I am dealing with the log forging issue for the code : log.error("Request: " + req.getRequestURL() + " raised " + exception); This element’s value (req.getRequestURL()) flows through the code without being properly sanitized or validated, and is…

java logging log-forging

asked Dec 10 '14 at 09:41

AKS

700
6
7

Questions tagged [log-forging]