保護DataHogo
Security Encyclopedia/Error & Logging Best Practices
lowCWE-778A09:2021

Insufficient Security Logging

Not logging security events (failed logins, permission denials, suspicious actions) means you can't detect attacks in progress or reconstruct what happened after a breach.

How It Works

OWASP A09 — Security Logging and Monitoring Failures — is consistently in the top 10 because organizations can't detect breaches without the right logs. Without security event logs, a credential stuffing attack can run for weeks before anyone notices. Post-breach forensics becomes impossible.

Vulnerable Code
// BAD: authentication with no security event logging
export async function POST(req: Request) {
  const { email, password } = await req.json();
  const user = await validateCredentials(email, password);
  if (!user) return Response.json({ error: 'Invalid' }, { status: 401 });
  // No log of failed attempt — attacker is invisible
  return Response.json({ token: createToken(user) });
}
Secure Code
// GOOD: log security events with enough context to detect and investigate
export async function POST(req: Request) {
  const { email, password } = await req.json();
  const user = await validateCredentials(email, password);
  if (!user) {
    securityLog.warn({ event: 'login_failed', email, ip: getIP(req) });
    return Response.json({ error: 'Invalid credentials' }, { status: 401 });
  }
  securityLog.info({ event: 'login_success', userId: user.id, ip: getIP(req) });
  return Response.json({ token: createToken(user) });
}

Real-World Example

The 2013 Target breach went undetected for 3 weeks because their security monitoring wasn't configured to alert on the specific patterns of data exfiltration occurring. With proper logging and alerting, the breach could have been caught within hours.

How to Prevent It

  • Log all authentication events: login success, login failure, password reset, MFA events
  • Log all authorization failures: requests to resources the user doesn't have permission to access
  • Include IP address, user ID (not username/email), timestamp, and action in every security log
  • Set up alerts for anomalous patterns: >10 failed logins per minute, access from new countries

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Console.log of Sensitive Data

medium

Logging passwords, tokens, full user objects, or payment data to the console sends that data to your log aggregator in plaintext.

CWE-532A09:2021

Stack Traces Exposed to User

medium

Returning stack traces or internal error details in API responses reveals your file structure, library versions, and code paths to attackers.

CWE-209A05:2021

No React Error Boundary

low

Without error boundaries, a JavaScript error in any component crashes the entire React tree and shows a blank screen to the user.

CWE-392

PII in Logs

medium

Logging personally identifiable information (email, full name, IP address, phone number) creates privacy and compliance risks under GDPR and CCPA.

CWE-532A09:2021