Log injection occurs when an application fails to sanitize untrusted data used for logging.
An attacker can forge log content to prevent an organization from being able to trace back malicious activities.
What is the potential impact?
If an attacker can insert arbitrary data into a log file, the integrity of the chain of events being recorded can be compromised.
This
frequently occurs because attackers can inject the log entry separator of the logger framework, commonly newlines, and thus insert artificial log
entries.
Other attacks could also occur requiring only field pollution, such as cross-site scripting (XSS) or code injection (for example,
Log4Shell) if the logged data is fed to other application components, which may interpret the injected data differently.
The focus of this rule is newline character replacement.
Log Forge
An attacker, able to create independent log entries by injecting log entry separators, inserts bogus data into a log file to conceal his malicious
activities. This obscures the content for an incident response team to trace the origin of the breach as the indicators of compromise (IoCs) lead to
fake application events.
