2. The application doesn’t log
security-related information
or simply doesn’t log anything
at all. The opposite can
happen as well: an application
logs confidential information.
What could happen?
Security-related incidents cannot be
properly investigated due to a lack of
evidence. In case confidential data is
logged, an attacker could get a hold of it.
How to implement it?
Use a logging framework to log
all interesting events in
appropriate detail with the
necessary variables. Restrict
access to authorized individuals.
What’s the concept
about?
3. An application uses a logging
mechanism that stores
information about
authentication events.
Suspicious events are being
actively monitored.
The login attempts are being logged.
Since the logs are being monitored,
the administrator is made aware of
the attack on his account.
Using detailed information
of the log file, the incident
response team is able to
get more information about
the attacker and his attack.
An attacker wants to crack the
password of the admin account.
He performs a series of login
attempts using a password list.
123456
password
qwerty
12345678
abc123
…
passwords.txt
Logging authentication
events
Logging
Understanding the concept
Web application
Event: [Login Failed (1)] User: admin, IP: 123.123.123.123
Event: [Login Failed (2)] User: admin, IP: 123.123.123.123
Event: [Login Failed (3)] User: admin, IP: 123.123.123.123
Event: [Login Failed (4)] User: admin, IP: 123.123.123.123
…
EventLog.logadmin
*********
Password
Login
4. An application without logging
mechanism that stores
information about
authentication events, such as
successful or failed logins.
Because no lockout mechanism
exists, the attacker can try all
possible passwords from the list. No
login attempt is being logged.
The admin does not realize
his account is being
attacked and compromised.
If he discovers the account
takeover, he has no way of
analyzing the attack.
An attacker wants to crack the
password of the admin account.
He performs a series of login
attempts using a password list.
123456
password
qwerty
12345678
abc123
…
passwords.txt
Missing authentication
logging
Logging
What could happen with the concept?
Web application
Event: [Login Failed (1)] User: admin, IP: 123.123.123.123
Event: [Login Failed (2)] User: admin, IP: 123.123.123.123
Event: [Login Failed (3)] User: admin, IP: 123.123.123.123
Event: [Login Failed (4)] User: admin, IP: 123.123.123.123
…
EventLog.logadmin
*********
Password
Login
5. …
Event: [Successful login] User: John, Password: *********
…
EventLog.log
A web application logs all
relevant activity of its users.
By exploiting a vulnerability of
the site, an attacker is able to
access the log file of the
application.
Because no sensitive
information is present in
the log, the attacker
doesn’t have information
to mount an attack
against user accounts.
A user logs into the system with
its user and password. This event
is logged to a log file. No
sensitive information like the
password is included.
No sensitive
information in log file
Logging
Understanding the concept
Web application
http://site.com/?page=../../../../EventLog.log
Login: John, Password: Y6ZGFIR84
6. …
Event: [Successful login] User: John, Password: Y6ZGFIR84
…
EventLog.log
A web application logs all
relevant activity of its users.
By exploiting a vulnerability of
the site, an attacker is able to
access the log file of the
application.
Because user passwords
are kept in the log file, the
attacker is able to steal
the accounts of all the
users listed in the log.
A user logs into the system with
its user and password. This event
is logged to a log file. The
password is included in the log.
Plaint text passwords
in log file
Logging
What could happen with the concept?
Web application
http://site.com/?page=../../../../EventLog.log
Login: John, Password: Y6ZGFIR84
7. Logging
Typical controls
Centralize logging using a framework.
Log activity through all of the application tiers.
Log key events.
Successful and failed logon attempts, modification and retrieval of data, …
Log relevant information (the 5 W’s of logging)
What happened, when, where (host, network interface, ..),
who was involved, where did it come from?
Avoid logging private information such as passwords or credit
card information.
Restrict access to logs to authorized individuals.