log-injection
Safeguard articles tagged "log-injection" — guides, analysis, and best practices for software supply chain and application security.
5 articles
Log injection attacks and how to stop forging your own audit trail
One unsanitized turns a log line into two, and a critical Log4j flaw with a CVSS score of 10.0 turned a log message into remote code execution.
Preventing log injection in Node.js and Express
A single unescaped newline in req.body can let an attacker forge fake log entries — CWE-117 log injection still hits Node apps that log with plain string concatenation.
Log Injection: How Attackers Poison Your Logs (and How to Stop Them)
Logs are supposed to be your source of truth during an incident. Log injection lets attackers forge entries, break parsers, and — in the worst cases — trigger code execution from a log line.
How to prevent log injection vulnerabilities in Java
Log injection let attackers turn Log4j logging calls into remote code execution in 2021. Here's how CWE-117 works in Java and how to stop it.
Logging Vulnerabilities: Log Injection and Sensitive Data...
Log4Shell, plaintext password logs, and CRLF injection show how logging vulnerabilities turn debug output into a full-blown breach vector for attackers.