Secure Code Warrior - Logging
•Download as PPTX, PDF•
0 likes•82 views
Application Security Fundamentals - Slidepack on "Logging" by Secure Code Warrior Limited and licensed under CC BY-ND 4.0
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (13)
Similar to Secure Code Warrior - Logging
Similar to Secure Code Warrior - Logging (20)
Recently uploaded
Recently uploaded (20)
Secure Code Warrior - Logging
- 1. Logging Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
- 2. The application doesn’t log security-related information or simply doesn’t log anything at all. The opposite can happen as well: an application logs confidential information. What could happen? Security-related incidents cannot be properly investigated due to a lack of evidence. In case confidential data is logged, an attacker could get a hold of it. How to implement it? Use a logging framework to log all interesting events in appropriate detail with the necessary variables. Restrict access to authorized individuals. What’s the concept about?
- 3. An application uses a logging mechanism that stores information about authentication events. Suspicious events are being actively monitored. The login attempts are being logged. Since the logs are being monitored, the administrator is made aware of the attack on his account. Using detailed information of the log file, the incident response team is able to get more information about the attacker and his attack. An attacker wants to crack the password of the admin account. He performs a series of login attempts using a password list. 123456 password qwerty 12345678 abc123 … passwords.txt Logging authentication events Logging Understanding the concept Web application Event: [Login Failed (1)] User: admin, IP: 123.123.123.123 Event: [Login Failed (2)] User: admin, IP: 123.123.123.123 Event: [Login Failed (3)] User: admin, IP: 123.123.123.123 Event: [Login Failed (4)] User: admin, IP: 123.123.123.123 … EventLog.logadmin ********* Password Login
- 4. An application without logging mechanism that stores information about authentication events, such as successful or failed logins. Because no lockout mechanism exists, the attacker can try all possible passwords from the list. No login attempt is being logged. The admin does not realize his account is being attacked and compromised. If he discovers the account takeover, he has no way of analyzing the attack. An attacker wants to crack the password of the admin account. He performs a series of login attempts using a password list. 123456 password qwerty 12345678 abc123 … passwords.txt Missing authentication logging Logging What could happen with the concept? Web application Event: [Login Failed (1)] User: admin, IP: 123.123.123.123 Event: [Login Failed (2)] User: admin, IP: 123.123.123.123 Event: [Login Failed (3)] User: admin, IP: 123.123.123.123 Event: [Login Failed (4)] User: admin, IP: 123.123.123.123 … EventLog.logadmin ********* Password Login
- 5. … Event: [Successful login] User: John, Password: ********* … EventLog.log A web application logs all relevant activity of its users. By exploiting a vulnerability of the site, an attacker is able to access the log file of the application. Because no sensitive information is present in the log, the attacker doesn’t have information to mount an attack against user accounts. A user logs into the system with its user and password. This event is logged to a log file. No sensitive information like the password is included. No sensitive information in log file Logging Understanding the concept Web application http://site.com/?page=../../../../EventLog.log Login: John, Password: Y6ZGFIR84
- 6. … Event: [Successful login] User: John, Password: Y6ZGFIR84 … EventLog.log A web application logs all relevant activity of its users. By exploiting a vulnerability of the site, an attacker is able to access the log file of the application. Because user passwords are kept in the log file, the attacker is able to steal the accounts of all the users listed in the log. A user logs into the system with its user and password. This event is logged to a log file. The password is included in the log. Plaint text passwords in log file Logging What could happen with the concept? Web application http://site.com/?page=../../../../EventLog.log Login: John, Password: Y6ZGFIR84
- 7. Logging Typical controls Centralize logging using a framework. Log activity through all of the application tiers. Log key events. Successful and failed logon attempts, modification and retrieval of data, … Log relevant information (the 5 W’s of logging) What happened, when, where (host, network interface, ..), who was involved, where did it come from? Avoid logging private information such as passwords or credit card information. Restrict access to logs to authorized individuals.