Medium Severity
🟡 Log Injection / Log Poisoning
🧠 Description
Log Injection occurs when unsanitized user input is written to application logs. Attackers can inject malicious content to manipulate log files, potentially leading to log poisoning attacks where other parts of the application parse these logs.
Impact: Log Poisoning, WAF Bypass, Secondary Injection
🎯 Attack Surface
- User-Agent header injection
- Username/login fields
- Search parameters
- Comment fields
- API endpoint parameters
💣 Basic Payloads
2024-01-01 ERROR admin failed login
127.0.0.1 - - [01/Jan/2024:12:00:00] "GET /admin HTTP/1.1" 200
{"user":"admin","role":"admin"}
/etc/passwd opened by user
⚡ Advanced Exploitation
- Log Poisoning + LFI: Inject webshell path into logs, then include via LFI
- Log Injection to WAF: Inject false log entries to trigger WAF rules
- Log Forgery: Inject fake entries to frame other users or hide attacks
🛡️ Mitigation
✅ Validate and sanitize all input before logging
✅ Encode/sanitize special characters (newlines, carriage returns)
✅ Store logs in append-only storage
✅ Separate log storage from web root
✅ Encode/sanitize special characters (newlines, carriage returns)
✅ Store logs in append-only storage
✅ Separate log storage from web root