Application Log Injection


Overview

Application Log Injection may result when application logs store user input and possess client-vulnerabilities such as XSS. For example, if application logs are stored in HTML format and viewed in a browser, then XSS vulnerabilities in the log viewer could allow execution of the XSS.

YouTubeVideo Tutorials

Discovery Methodology

To discover vulnerabilities in the log viewer, it may be best to download and install a copy of the target application locally, then use standard techniques to test the application.

Exploitation

Cross site scripting tends to be the easiest and most prevalent vulnerability in HTML based application log viewers. Send hooks and other XSS into the logs. Wait for an administrator to view the logs.

Example

The user name entered on the login page is logged to the application log. Enter a cross-site script in the user name field. Visit the View Log page. Check that the XSS works.



Videos

YouTubeCross-site Scripting Explained - Part 13: Advanced Session Hijacking