Merge pull request #108 from lirantal/feat/log-injection

feat(log-injection): example vulnerable code for CSRF injection

Author: ckarande

app/routes/session.js

@@ -61,6 +61,20 @@ function SessionHandler(db) {
             var invalidPasswordErrorMessage = "Invalid password";
             if (err) {
                 if (err.noSuchUser) {
+                    console.log('Error: attempt to login with invalid user: ', userName);
+
+                    // Fix for A1 - 3 Log Injection - encode/sanitize input for CRLF Injection
+                    // that could result in log forging:
+                    // - Step 1: Require a module that supports encoding
+                    // var ESAPI = require('node-esapi');
+                    // - Step 2: Encode the user input that will be logged in the correct context
+                    // following are a few examples:
+                    // console.log('Error: attempt to login with invalid user: %s', ESAPI.encoder().encodeForHTML(userName));
+                    // console.log('Error: attempt to login with invalid user: %s', ESAPI.encoder().encodeForJavaScript(userName));
+                    // console.log('Error: attempt to login with invalid user: %s', ESAPI.encoder().encodeForURL(userName));
+                    // or if you know that this is a CRLF vulnerability you can target this specifically as follows:
+                    // console.log('Error: attempt to login with invalid user: %s', userName.replace(/(\r\n|\r|\n)/g, '_'));
+
                     return res.render("login", {
                         userName: userName,
                         password: "",

app/views/tutorial/a1.html

@@ -21,15 +21,15 @@ <h3 class="panel-title">Description</h3>
                 Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
             </div>
         </div>
-        <!-- 
-        <div class="panel panel-info"> 
-            <div class="panel-heading"> 
-                <h3 class="panel-title">Real World Attack Incident Examples</h3> 
-            </div> 
-            <div class="panel-body"> 
-                Screencast here ... 
-            </div> 
-        </div> 
+        <!--
+        <div class="panel panel-info">
+            <div class="panel-heading">
+                <h3 class="panel-title">Real World Attack Incident Examples</h3>
+            </div>
+            <div class="panel-body">
+                Screencast here ...
+            </div>
+        </div>
         -->
     </div>
 </div>
@@ -308,6 +308,95 @@ <h3 class="panel-title">How Do I Prevent It?</h3>
         </div>
     </div>
     <!-- /NoSQL Injection -->
+
+    <!-- Log Injection -->
+    <div class="panel panel-info">
+        <div class="panel-heading">
+            <h4 class="panel-title">
+                <a data-toggle="collapse" data-parent="#accordion" href="#collapseTwo">
+                    <i class="fa fa-chevron-down"></i> A1 - 3 Log Injection
+                </a>
+            </h4>
+        </div>
+        <div id="collapseTwo" class="panel-collapse">
+            <div class="panel-body">
+
+
+                <div class="panel panel-default">
+                    <div class="panel-heading">
+                        <h3 class="panel-title">Description</h3>
+                    </div>
+                    <div class="panel-body">
+                        <p>
+                            Log injection vulnerabilities enable an attacker to forge and tamper with an application's logs.
+                        </p>
+                    </div>
+                </div>
+
+                <div class="panel panel-default">
+                    <div class="panel-heading">
+                        <h3 class="panel-title">Attack Mechanics</h3>
+                    </div>
+                    <div class="panel-body">
+                        <p>An attacker may craft a malicious request that may deliberately fail, which the application will log, and when attacker's user input is unsanitized, the payload is sent as-is to the logging facility. Vulnerabilities may vary depending on the logging facility:</p>
+                        <h5>1. Log Forging (CRLF) </h5>
+                        <p>Lets consider an example where an application logs a failed attempt to login to the system. A very common example for this is as follows:
+                        </p>
+                        <pre>
+var userName = req.body.userName;
+console.log('Error: attempt to login with invalid user: ', userName);
+                        </pre>
+                        <p>When user input is unsanitized and the output mechanism is an ordinary terminal stdout facility then the application will be vulnerable to CRLF injection, where an attacker can create a malicious payload as follows:
+                        <pre>
+curl http://localhost:4000/login -X POST --data 'userName=vyva%0aError: alex moldovan failed $1,000,000 transaction&password=Admin_123&_csrf='
+                        </pre>
+                        Where the <code>userName</code> parameter is encoding in the request the LF symbol which will result in a new line to begin. Resulting log output will look as follows:
+                        <pre>
+Error: attempt to login with invalid user:  vyva
+Error: alex moldovan failed $1,000,000 transaction
+                        </pre>
+                        <br/>
+                        <h5>2. Log Injection Escalation </h5>
+                        <p>
+                            An attacker may craft malicious input in hope of an escalated attack where the target isn't the logs themselves, but rather the actual logging system. For example, if an application has a back-office web app that manages viewing and tracking the logs, then an attacker may send an XSS payload into the log, which may not result in log forging on the log itself, but when viewed by a system administrator on the log viewing web app then it may compromise it and result in XSS injection that if the logs app is vulnerable.
+                        </p>
+
+                <div class="panel panel-default">
+                    <div class="panel-heading">
+                        <h3 class="panel-title">How Do I Prevent It?</h3>
+                    </div>
+                    <div class="panel-body">
+
+                        As always when dealing with user input:
+                        <ul>
+                            <li>
+                                Do not allow user input into logs
+                            </li>
+                            <li>
+                                Encode to proper context, or sanitize user input
+                            </li>
+                        </ul>
+
+                        Encoding example:
+                        <pre>
+// Step 1: Require a module that supports encoding
+var ESAPI = require('node-esapi');
+// - Step 2: Encode the user input that will be logged in the correct context
+// following are a few examples:
+console.log('Error: attempt to login with invalid user: %s', ESAPI.encoder().encodeForHTML(userName));
+console.log('Error: attempt to login with invalid user: %s', ESAPI.encoder().encodeForJavaScript(userName));
+console.log('Error: attempt to login with invalid user: %s', ESAPI.encoder().encodeForURL(userName));
+                        </pre>
+
+                        For the above Log Injection vulnerability, example and fix can be found at
+                        <code>routes/session.js</code>
+                    </div>
+                </div>
+            </div>
+        </div>
+    </div>
+    <!-- /Log Injection -->
+
 </div>
 <!-- end accordions -->
 {% endblock %}

package.json

@@ -16,6 +16,7 @@
     "helmet": "^2.0.0",
     "marked": "0.3.5",
     "mongodb": "^2.1.18",
+    "node-esapi": "0.0.1",
     "serve-favicon": "^2.3.0",
     "swig": "^1.4.2",
     "underscore": "^1.8.3"