Method to neutralize data recorded in logs?
katyanton opened this issue Β· 9 comments
Some libraries (like log4j2) have protections agains log forging and XSS which can be enabled via config settings.
Other libraries (log4j v1 and other ) don't have this option.
Can any of the existing OWASP Java Encoder functions be used to neutralize data recorded in logs ?
If not, is it possible to have a new method, let's say encode#ForLogs(), that will take care of both HTMLEncode and log forging?
Thanks,
Katy
Consider logging to a structured format such as JSON - then standard JSON encoding would be sufficient. Logging to JSON is often a good choice.
Hi @katyanton, The OWASP Security Logging Project includes an encoder for Logback, but for Log4J we recommend using the built-in encoder:
https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
Hi @augustd - I'm aware of the encoding for Log4J, but this is available only in version 2, not version 1.
Hi @jeremylong - I hear what you're saying and makes sense.
The corresponding method in OWASP Encoder would be encode#forJavaScriptSource(String) .
It would be a bit counter intuitive for a developer to know to use that method though.
Unfortunately Log4J version 1 is somewhat lacking in the extensibility department (most of the classes are actually final). Is that a hard requirement? Ideally you should be moving towards Log4J2 -you will get many more features and better performance. Otherwise feel free to submit a feature request at OWASP Security Logging and we can look into adding an encoder for version 1.
For ESAPI I actually created a whole wrapper for the Log4JLogger which does the encoding, but then you have to use ESAPI's API, not Log4J's.
We politely do not think this library is the right place for logging functions. Please consider the OWASP Logging project for this request!