12 lines
979 B
Plaintext
12 lines
979 B
Plaintext
=== What is the potential impact?
|
|
|
|
If an attacker can insert arbitrary data into a log file, the integrity of the chain of events being recorded can be compromised. +
|
|
This frequently occurs because attackers can inject the log entry separator of the logger framework, commonly newlines, and thus insert artificial log entries. +
|
|
Other attacks could also occur requiring only field pollution, such as cross-site scripting (XSS) or code injection (for example, Log4Shell) if the logged data is fed to other application components, which may interpret the injected data differently. +
|
|
|
|
|
|
The focus of this rule is newline character replacement.
|
|
|
|
==== Log Forge
|
|
|
|
An attacker, able to create independent log entries by injecting log entry separators, inserts bogus data into a log file to conceal his malicious activities. This obscures the content for an incident response team to trace the origin of the breach as the indicators of compromise (IoCs) lead to fake application events. |