Comments (9)
jmanico
commented on May 29, 2024
Katy,
A *separate* log encoder function to stop log injection is a reasonable
idea.
Pertinent characters that would need to be managed are listed here.
https://affinity-it-security.com/how-to-prevent-log-injection/
A few concerns...
1) There really is no "log escaping format". Most log injection
protections just remove the dangerous characters or replace them with a
space or something else innocent.
2) Another though is that this library is pretty strictly for just XSS
defense. I'm not sure if the author wants to expand the library for
other types of injection. What do you think, Dr. Jeff?
Aloha, Jim
β¦On 3/19/18 6:47 AM, katyanton wrote:
Some libraries (like log4j2) have protections agains log forging and
XSS which can be enabled via config settings.
Other libraries (log4j v1 and other ) don't have this option.
Can any of the existing OWASP Java Encoder functions be used to
neutralize data recorded in logs ?
If not, is it possible to have another method, let's say
encodeForLogs(), that will take care of both HTMLEncode and log forging?
Thanks,
Katy
β
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#11>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/AAgcCcmrVlKQnA3i4gmBvtJdJA2WBLthks5tf-EvgaJpZM4Swg53>.
--
Jim Manico
Manicode Security
https://www.manicode.com
from owasp-java-encoder.
jeremylong
commented on May 29, 2024
Consider logging to a structured format such as JSON - then standard JSON encoding would be sufficient. Logging to JSON is often a good choice.
from owasp-java-encoder.
augustd
commented on May 29, 2024
Hi @katyanton, The OWASP Security Logging Project includes an encoder for Logback, but for Log4J we recommend using the built-in encoder:
https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
from owasp-java-encoder.
katyanton
commented on May 29, 2024
Hi @augustd - I'm aware of the encoding for Log4J, but this is available only in version 2, not version 1.
from owasp-java-encoder.
jmanico
commented on May 29, 2024
ππΌππΌ
β¦--
Jim Manico
@manicode
Secure Coding Education
+1 (808) 652-3805
On Mar 20, 2018, at 7:18 AM, August Detlefsen ***@***.***> wrote:
Hi @katyanton, The OWASP Security Logging Project includes an encoder for Logback, but for Log4J we recommend using the built-in encoder:
https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging
β
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
from owasp-java-encoder.
katyanton
commented on May 29, 2024
Hi @jeremylong - I hear what you're saying and makes sense.
The corresponding method in OWASP Encoder would be encode#forJavaScriptSource(String) .
It would be a bit counter intuitive for a developer to know to use that method though.
from owasp-java-encoder.
augustd
commented on May 29, 2024
Unfortunately Log4J version 1 is somewhat lacking in the extensibility department (most of the classes are actually final). Is that a hard requirement? Ideally you should be moving towards Log4J2 -you will get many more features and better performance. Otherwise feel free to submit a feature request at OWASP Security Logging and we can look into adding an encoder for version 1.
For ESAPI I actually created a whole wrapper for the Log4JLogger which does the encoding, but then you have to use ESAPI's API, not Log4J's.
from owasp-java-encoder.
xeno6696
commented on May 29, 2024
Log4j v1's days in ESAPI are also numbered. We've been having an on-again
off-again conversation about what to do with ESAPI's logger.
β¦On Tue, Mar 20, 2018 at 1:22 PM August Detlefsen ***@***.***> wrote:
Unfortunately Log4J version 1 is somewhat lacking in the *extensibility*
department (most of the classes are actually final). Is that a hard
requirement? Ideally you should be moving towards Log4J2 -you will get many
more features and better performance. Otherwise feel free to submit a
feature request at OWASP Security Logging and we can look into adding an
encoder for version 1.
For ESAPI I actually created a whole wrapper for the Log4JLogger
<https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/reference/Log4JLogger.java#L412>
which does the encoding, but then you have to use ESAPI's API, not Log4J's.
β
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJEAQXNJMSaPYlNUUMhYy4jsqSaJsSVDks5tgWUggaJpZM4Swg53>
.
from owasp-java-encoder.
jmanico
commented on May 29, 2024
We politely do not think this library is the right place for logging functions. Please consider the OWASP Logging project for this request!
from owasp-java-encoder.
Related Issues (20)
- Configuring exclusions for `Encode.forHtml()` HOT 5
- Rename main branch HOT 1
- Create encode for URL function HOT 9
- Support for input canonicalization HOT 6
- JavaScriptEncoder escapes "-" what makes dates escaped HOT 6
- Create an encodeForEmail() function HOT 4
- Possible to inject expression property resulting XSS attack in IE browser by using certain document modes HOT 2
- Please sign the jar HOT 12
- Documentation Frames Broken by Content-Security-Policy HOT 1
- Process for reporting possible security vulnerabilties
- Correct javadoc for Encode class HOT 1
- Javadoc link is broken HOT 4
- Alternative method for deprecated forUri() method HOT 1
- Jsp tags not working together with EL expressions HOT 3
- log4j 1.2.17 dependency HOT 6
- Compile error HOT 6
- Any plans for a version using Jakarta Servlet 5.0? HOT 4
- Automatic module name not included in manifest
- I couldn't sanitize the vector "<%<!--'%><script>alert(1);</script -->", using the methods available in "encoder-1.2.3.jar". HOT 3
- Combining OWASP Sanitizer and Encoder HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from owasp-java-encoder.