I got the veracode report for my javaEE app. It had a flaw at any logging (using log4j), so I add the StringEscapeUtils.escapeJava(log)
to all of them, but veracode keeps reporting them as security flaws.
Is this a right solution? What else can I do?
This is the report info: Title: Improper Output Neutralization for Logs
Description: A function call could result in a log forging attack. Writing unsanitized user-supplied data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible.
Recommendations: Avoid directly embedding user input in log files when possible. Sanitize user-supplied data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Only write custom blacklisting code when absolutely necessary. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
They recommend to use ESAPI, but it is a very big project so I need the simplest solution, tht's why I tried with String.escape 'StringEscapeUtils.escapeJava(log)'
Thx in advanced!
CRLF injection is a software application coding vulnerability that occurs when an attacker injects a CRLF character sequence where it is not expected. When CRLF injection is used to split an HTTP response header, it is referred to as HTTP Response Splitting.
CRLF injections are vulnerabilities where the attacker is able to inject CR (carriage return, ASCII 13) and LF (line feed, ASCII 10) characters into the web application. This lets the attacker add extra headers to HTTP responses or even make the browser ignore the original content and process injected content instead.
Description. The term CRLF refers to Carriage Return (ASCII 13, \r ) Line Feed (ASCII 10, \n ). They're used to note the termination of a line, however, dealt with differently in today's popular Operating Systems.
CWE 117: Improper Output Sanitization for Logs is a logging-specific example of CRLF Injection. It occurs when a user maliciously or accidentally inserts line-ending characters (CR [Carriage Return], LF [Line Feed], or CRLF [a combination of the two]) into data that will be written into a log.
I head up the Veracode Application Security Consulting group, and can answer your question in detail. The best venue for the conversation is through [email protected], since the discussion may involve specific details about your findings that we probably want to avoid making public.
The short answer is the StringEscapeUtils.escapeJava() is effective at eliminating typical CRLF risk, but it is not one of the mechanisms our system automatically recognizes as there are situations in which it may be insufficient.
The Veracode system has a mechanism for marking these findings appropriately so they do not cause confusion.
Please contact Veracode Support ([email protected]), and we'll be able to talk in detail.
Best regards, Jim.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With