保護DataHogo
Security Encyclopedia/Injections (Advanced)
lowCWE-117A09:2021

Log Injection

User-supplied input written to logs without sanitization, allowing attackers to forge log entries, hide their tracks, or inject malicious content into log files.

How It Works

If you log raw user input, an attacker can include newlines to insert fake log entries. For example, a username of `admin\n[INFO] User admin logged out successfully` makes it look like admin logged out cleanly in the log file, hiding a real attack. More dangerously, some log viewers render HTML in logs.

Vulnerable Code
// BAD: raw user input in logs
export async function POST(req: Request) {
  const { username } = await req.json();
  console.log(`Login attempt for user: ${username}`);
  // username = 'alice\n[INFO] Login success for: admin'
}
Secure Code
// GOOD: sanitize before logging, use structured logging
export async function POST(req: Request) {
  const { username } = await req.json();
  const safeUsername = username.replace(/[\r\n]/g, '_');
  // Better: use structured logging with a dedicated field
  logger.info('Login attempt', { username: safeUsername });
}

Real-World Example

Log4Shell (CVE-2021-44228) was essentially a log injection that went catastrophically wrong — the log4j library actually executed code embedded in log messages. Pure log injection is lower severity, but log4shell showed what's possible when log handling gets too clever.

How to Prevent It

  • Strip or encode newline characters (\r, \n) from user input before logging
  • Use structured logging (JSON format) with dedicated fields instead of string interpolation
  • Never render raw log content in a web UI without escaping
  • Set up log integrity monitoring to detect tampering

Affected Technologies

nodejsPythonGoJava

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

LDAP Injection

high

User input inserted into LDAP search filters without escaping, allowing attackers to manipulate directory queries, bypass authentication, or extract sensitive directory data.

CWE-90A03:2021

XXE — XML External Entity Injection

high

XML parsers configured to process external entity references, allowing attackers to read arbitrary files from the server or trigger SSRF by crafting a malicious XML payload.

CWE-611A05:2021

HTTP Header Injection (CRLF Injection)

medium

User-controlled input included in HTTP response headers without sanitization, allowing attackers to inject arbitrary headers or split the response into two separate HTTP responses.

CWE-113A03:2021

Email Header Injection

medium

Unsanitized user input used in email To, From, CC, or Subject fields, allowing attackers to inject additional recipients and turn your email server into a spam relay.

CWE-93A03:2021