Exercise 34: Exploiting Log File Injection Vulnerabilities

Objective: Learn to exploit log file injection vulnerabilities in web applications to execute malicious code or bypass authentication, and understand how to prevent such attacks.

---

Scenario: Log file injection vulnerabilities occur when user input is directly logged without proper sanitization. Attackers can inject malicious payloads into log files, potentially leading to code execution or bypassing authentication mechanisms. Your task is to identify and exploit such vulnerabilities and secure the application against them.

---

Lab Setup

1. Environment:
   • A web application with a logging feature.
   • Logs stored in a directory accessible to the web server.
2. Tools Required:
   • A web browser or curl for testing.
   • Access to the web application’s log files (directly or via vulnerabilities).

---

Lab Steps

Step 1: Identify Log File Injection Vulnerabilities

1. Test the web application for user input that gets logged:
   • Login forms, search boxes, or contact forms are common targets.
   • Example input: ; rm -rf /; <?php system('whoami'); ?>
2. Monitor the server logs to verify if the input is recorded: sudo tail -f /var/log/app.log

Step 2: Inject Malicious Payload

1. Inject a command payload through user input: ' OR 1=1; -- ; ls -al /etc;
2. Access the log file via the application (if exposed): http://<target_ip>/logs/app.log
3. Check if the injected payload is visible in the logs.

Step 3: Execute Injected Code

1. If the application dynamically includes log files, attempt to execute injected code: <?php system('whoami'); ?>
2. Access the vulnerable endpoint to trigger execution: http://<target_ip>/logs/app.log
3. Verify command execution output (e.g., username or directory listing).

Step 4: Exploit for Authentication Bypass

1. Inject SQL commands to bypass authentication: ' OR '1'='1'; --
2. Test login functionality to confirm unauthorized access.

---

Solution

Explanation:

• Log file injection occurs when unsanitized input is logged directly, leading to potential code execution or manipulation of the application’s logic.
• Attackers can exploit such vulnerabilities to execute commands, access sensitive data, or escalate privileges.

Prevention:

1. Input Validation:
   • Validate all user input to ensure it conforms to expected formats. $input = filter_var($user_input, FILTER_SANITIZE_STRING);
2. Output Encoding:
   • Encode potentially dangerous characters before logging: $log_data = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
3. Restrict Log File Access:
   • Ensure log files are not accessible via the web server. chmod 640 /var/log/app.log chown root:appgroup /var/log/app.log
4. Sanitize Log Data:
   • Avoid logging sensitive or executable content.
5. Monitor Logs for Anomalies:
   • Use tools to detect unusual patterns in log files.

---

Testing and Verification

1. Test the application with malicious inputs to confirm they are sanitized before logging.
2. Verify that log files are inaccessible through the web application.
3. Confirm that injected payloads are not executed or stored.

---

Reflection

This exercise highlights the risks of log file injection vulnerabilities and how they can lead to severe consequences such as code execution or privilege escalation. By implementing proper input validation, sanitization, and access controls, you can effectively secure applications against these attacks.