🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Log Injection

Log injection happens when untrusted data is stored in logs and does not escaped when used by the downstream component or rendered in the UI. An adversary can exploit this vulnerability to execute arbitrary command (see Log4Shell), JavaScript code (see second-order XSS or blind XSS), or insert fake log entries (see CRLF injection).

Remediation

  • Restrict size and character set of the data that is stored in the logs.
  • Perform contextual escaping of the logs before usage ore rendering.

Metadata

  • Severity: medium
  • Slug: log-injection

CWEs

  • 117: Improper Output Neutralization for Logs
  • 93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

OWASP

  • A03:2021: Injection

Available Labs

Open Python labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.