Secure Code Warrior - Logging
Download as PPTX, PDF0 likes107 views
The document discusses the importance of logging application security events to prevent and investigate security incidents effectively. It emphasizes the need for a proper logging framework to record authentication attempts while avoiding the logging of sensitive information. Key recommendations include centralizing logs, monitoring suspicious events, and restricting access to authorized personnel.
![An application uses a logging
mechanism that stores
information about
authentication events.
Suspicious events are being
actively monitored.
The login attempts are being logged.
Since the logs are being monitored,
the administrator is made aware of
the attack on his account.
Using detailed information
of the log file, the incident
response team is able to
get more information about
the attacker and his attack.
An attacker wants to crack the
password of the admin account.
He performs a series of login
attempts using a password list.
123456
password
qwerty
12345678
abc123
…
passwords.txt
Logging authentication
events
Logging
Understanding the concept
Web application
Event: [Login Failed (1)] User: admin, IP: 123.123.123.123
Event: [Login Failed (2)] User: admin, IP: 123.123.123.123
Event: [Login Failed (3)] User: admin, IP: 123.123.123.123
Event: [Login Failed (4)] User: admin, IP: 123.123.123.123
…
EventLog.logadmin
*********
Password
Login](https://image.slidesharecdn.com/8logging-160912113312/85/Secure-Code-Warrior-Logging-3-320.jpg)
![An application without logging
mechanism that stores
information about
authentication events, such as
successful or failed logins.
Because no lockout mechanism
exists, the attacker can try all
possible passwords from the list. No
login attempt is being logged.
The admin does not realize
his account is being
attacked and compromised.
If he discovers the account
takeover, he has no way of
analyzing the attack.
An attacker wants to crack the
password of the admin account.
He performs a series of login
attempts using a password list.
123456
password
qwerty
12345678
abc123
…
passwords.txt
Missing authentication
logging
Logging
What could happen with the concept?
Web application
Event: [Login Failed (1)] User: admin, IP: 123.123.123.123
Event: [Login Failed (2)] User: admin, IP: 123.123.123.123
Event: [Login Failed (3)] User: admin, IP: 123.123.123.123
Event: [Login Failed (4)] User: admin, IP: 123.123.123.123
…
EventLog.logadmin
*********
Password
Login](https://image.slidesharecdn.com/8logging-160912113312/85/Secure-Code-Warrior-Logging-4-320.jpg)
![…
Event: [Successful login] User: John, Password: *********
…
EventLog.log
A web application logs all
relevant activity of its users.
By exploiting a vulnerability of
the site, an attacker is able to
access the log file of the
application.
Because no sensitive
information is present in
the log, the attacker
doesn’t have information
to mount an attack
against user accounts.
A user logs into the system with
its user and password. This event
is logged to a log file. No
sensitive information like the
password is included.
No sensitive
information in log file
Logging
Understanding the concept
Web application
http://site.com/?page=../../../../EventLog.log
Login: John, Password: Y6ZGFIR84](https://image.slidesharecdn.com/8logging-160912113312/85/Secure-Code-Warrior-Logging-5-320.jpg)
![…
Event: [Successful login] User: John, Password: Y6ZGFIR84
…
EventLog.log
A web application logs all
relevant activity of its users.
By exploiting a vulnerability of
the site, an attacker is able to
access the log file of the
application.
Because user passwords
are kept in the log file, the
attacker is able to steal
the accounts of all the
users listed in the log.
A user logs into the system with
its user and password. This event
is logged to a log file. The
password is included in the log.
Plaint text passwords
in log file
Logging
What could happen with the concept?
Web application
http://site.com/?page=../../../../EventLog.log
Login: John, Password: Y6ZGFIR84](https://image.slidesharecdn.com/8logging-160912113312/85/Secure-Code-Warrior-Logging-6-320.jpg)
Secure Code Warrior - Logging
- 1. Logging Application Security Fundamentals by Secure Code Warrior Limited is licensed under CC BY-ND 4.0
- 2. The application doesn’t log security-related information or simply doesn’t log anything at all. The opposite can happen as well: an application logs confidential information. What could happen? Security-related incidents cannot be properly investigated due to a lack of evidence. In case confidential data is logged, an attacker could get a hold of it. How to implement it? Use a logging framework to log all interesting events in appropriate detail with the necessary variables. Restrict access to authorized individuals. What’s the concept about?
- 3. An application uses a logging mechanism that stores information about authentication events. Suspicious events are being actively monitored. The login attempts are being logged. Since the logs are being monitored, the administrator is made aware of the attack on his account. Using detailed information of the log file, the incident response team is able to get more information about the attacker and his attack. An attacker wants to crack the password of the admin account. He performs a series of login attempts using a password list. 123456 password qwerty 12345678 abc123 … passwords.txt Logging authentication events Logging Understanding the concept Web application Event: [Login Failed (1)] User: admin, IP: 123.123.123.123 Event: [Login Failed (2)] User: admin, IP: 123.123.123.123 Event: [Login Failed (3)] User: admin, IP: 123.123.123.123 Event: [Login Failed (4)] User: admin, IP: 123.123.123.123 … EventLog.logadmin ********* Password Login
- 4. An application without logging mechanism that stores information about authentication events, such as successful or failed logins. Because no lockout mechanism exists, the attacker can try all possible passwords from the list. No login attempt is being logged. The admin does not realize his account is being attacked and compromised. If he discovers the account takeover, he has no way of analyzing the attack. An attacker wants to crack the password of the admin account. He performs a series of login attempts using a password list. 123456 password qwerty 12345678 abc123 … passwords.txt Missing authentication logging Logging What could happen with the concept? Web application Event: [Login Failed (1)] User: admin, IP: 123.123.123.123 Event: [Login Failed (2)] User: admin, IP: 123.123.123.123 Event: [Login Failed (3)] User: admin, IP: 123.123.123.123 Event: [Login Failed (4)] User: admin, IP: 123.123.123.123 … EventLog.logadmin ********* Password Login
- 5. … Event: [Successful login] User: John, Password: ********* … EventLog.log A web application logs all relevant activity of its users. By exploiting a vulnerability of the site, an attacker is able to access the log file of the application. Because no sensitive information is present in the log, the attacker doesn’t have information to mount an attack against user accounts. A user logs into the system with its user and password. This event is logged to a log file. No sensitive information like the password is included. No sensitive information in log file Logging Understanding the concept Web application http://site.com/?page=../../../../EventLog.log Login: John, Password: Y6ZGFIR84
- 6. … Event: [Successful login] User: John, Password: Y6ZGFIR84 … EventLog.log A web application logs all relevant activity of its users. By exploiting a vulnerability of the site, an attacker is able to access the log file of the application. Because user passwords are kept in the log file, the attacker is able to steal the accounts of all the users listed in the log. A user logs into the system with its user and password. This event is logged to a log file. The password is included in the log. Plaint text passwords in log file Logging What could happen with the concept? Web application http://site.com/?page=../../../../EventLog.log Login: John, Password: Y6ZGFIR84
- 7. Logging Typical controls Centralize logging using a framework. Log activity through all of the application tiers. Log key events. Successful and failed logon attempts, modification and retrieval of data, … Log relevant information (the 5 W’s of logging) What happened, when, where (host, network interface, ..), who was involved, where did it come from? Avoid logging private information such as passwords or credit card information. Restrict access to logs to authorized individuals.