Information Exposure Through Log Files| ID: 532 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: INCOMPLETE |
| Abstraction Type: Variant |
Description
Information written to log files can be of a sensitive nature
and give valuable guidance to an attacker or expose sensitive user
information.
Extended DescriptionWhile logging all information may be helpful during development stages, it
is important that logging levels be set appropriately before a product ships
so that sensitive user data and system information are not accidentally
exposed to potential attackers.
Likelihood of Exploit: Medium
Applicable PlatformsNone
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Confidentiality | Read application
data | Logging sensitive user data often provides attackers with an
additional, less-protected path to acquiring the information. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and DesignImplementation | | Consider seriously the sensitivity of the information written into log
files. Do not write secrets into the log files. | | |
| Operation | | Protect log files against unauthorized read/write. | | |
| Implementation | | Adjust configurations appropriately when software is transitioned from
a debug state to production. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-532 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative Examples (Details)
- In the following code snippet, a user's full name and credit card
number are written to a log file.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| Anonymous Tool Vendor (under NDA) | | | |
| CERT Java Secure Coding | FIO13-J | Do not log sensitive information outside a trust
boundary | |
References:None
