Log forging or Log Injection attacks

What is log forging?

Log forging is a technique of using the system to print fake or fraudulent logs. This is done by connecting to a remote system, such as a database or database server, via TCP/IP and sending one or more record(s) to it. The remote system then records this log entry and sends it back to the attacker's machine, where the attacker will see it as if it was generated locally. The attack can be used for malicious purposes like stealing authentication credentials, tampering with audit logs to hide illicit activities, etc.

Log forging comes in two main forms; HTTP (Hypertext Transfer Protocol) log forging and HTTPS (Hypertext Transfer Protocol Secure) log forging. In both cases, the remote host's IP address is not visible in the forged logs, providing plausible deniability. Log forging attacks are targeted at specific applications that use logging functions like PHP's secure_log function which provide only very limited logging capabilities but do not have any HTTPS protocol support.

‍

Effect of the Log forging Attack

The effect of the log forging attack is that a computer's logs are forged to look like they have not been tampered with when, in fact, they have. This allows an attacker to gain access to the system without a password. Because this attack targets the operating system and uses standard tools, it is very difficult to detect.

When the attackers do successfully forge a log entry, this can lead to potential privilege escalation for the user in question. For example, if an attacker creates a forged log entry that shows that the user has accessed a file on their system that they actually did not access (they just viewed it), then they will be able to elevate their privileges on that system.

There are many ways in which an attacker can create logs for a variety of attacks. Some examples of these methodologies are listed below:

• SQL injection
• File injection
• Shell command injection
• Brute force password guessing
• Session fixation

*Note: The Log forging Attack is typically used in conjunction with other attacks such as brute force password guessing and session fixation.

‍

Why is it important to prevent log forging attacks?

While you may be tempted to ignore this threat, log forging attacks can have major consequences for your business. They can result in identity theft and/or financial loss if they are not handled appropriately. Just like phishing emails that direct users to fake websites, log forging attacks lead people directly to fake login pages. With these fake sites, hackers are able to gather valuable information about your business before they properly gain access. To avoid this type of attack and protect the integrity of your business’s data, it’s important that you maintain security standards and keep up with current technology trends in order to remain protected.

Log forging attack: a unique form of attack that takes advantage of the fact that logs are not always monitored and verified by the system. It's a form of man-in-the-middle attack, where an unauthorized user inserts themselves between your application and the server. The attacker sends forged log files to the server, which are then accepted as legitimate. This creates all kinds of problems for your application in terms of logging, data integrity, security, performance, development and so on.

‍

How does it work?

The hacker takes advantage of the way that logs are stored on web servers by using a proxy server. A proxy server acts as a login for your web browser, so when you connect to the website, it sends its own IP address instead of yours. The hacker will then use their proxy server to change the time stamp and date in your browser's cache file, making it look like you've been there longer than you actually have been. This creates an illusion where you appear as if you're logged into the site and doing work or shopping when in reality, nothing has happened yet. The hacker can also modify other log files to make it seem like you've completed transactions or sent messages when in reality, you haven't even visited the site yet or sent anything at all. With these changes made, people who visit the site will be fooled into believing false information about their behavior because they'll see logs that they think were created while they were browsing or shopping online.

‍

Attack scenario

The web app logs unsuccessful login tries via way of means of users. Below is an instance of the code utilized by the app:

String userID = request.getParameter(“userID”);
try 
{
 int user = Integer.parseInt(username);
 ...
 log.info(“Successful Login, ID=” + value);
}
catch (NumberFormatException) 
{
 log.info(“Failed Login, ID=” + value);
}

The tracking device problems an alert after a consumer exceeds the restriction of failed tries. The device may be configured to alert in case of any brute pressure attacks. A log is outlined at the side of an alert every time the restriction is reached.

May 17:2020:10:43:10: Failed Login, ID=sha

The device is reset if a a hit login takes place earlier than the alert restriction is reached. This may be exploited via way of means of an outsider trying to interrupt into the device. The attacker can faux the logs via way of means of placing a faux entry (a hit login event) to make certain that the device is reset earlier than the restriction is reached. The following is an instance of consumer input:

Sep%2011%3A2018%3A01%3A07%3A13%3A%20Successful%20Login%2C%20ID%3Dsha
which is equivalent to:
Sep 17:2020:07:07:13: Successful Login, ID=sha

In the absence of any verification or disinfection of consumer input, faux logs can without problems neutralize the tracking device. In this case,  logs may be printed, one actual and one faux.

Sep 18:2020:07:07:13: Failed Login, Id=sha
Sep 18:2020:07:07:13: Successful Login, Id=sha

‍

Attack example

One common attack that is seen in log forging attacks can be found within the application layer. Because the application layer is most often not protected, this attack occurs when an attacker sends or posts a request to another person, such as a customer or employee. In this type of attack, someone would typically provide information that gives the attacker access to a system by providing credentials or login information.

This attack exploits the fact that many device logs usually contain unencrypted passwords, and if the attacker can find this information, they can use it for their own purposes without any consequences.

‍

Preventing a log injection attack

The first step to preventing a log forging attack is limiting access to the logs. If you must allow log writing, it is important to make sure that only authorized users can write to these logs. It's also important to regularly back up your logs so if someone else tampers with them, they don't lose valuable information as well.

‍

Wallarm's solution to defend against log forging and injection attacks

Log forging is the activity of manipulating logs in order to generate a false impression that malware has been detected and blocked on an endpoint. It is a form of log injection attack, which includes log tampering and log replacement.

Wallarm's solution is unique because it relies on artificial intelligence (AI) to analyze the logs and detect potential attacks that include log forging. And even if Wallarm cannot detect any type of attack, it will still block them as they are considered suspicious.

Wallarm will detect the forged logs automatically and prevent them from ever reaching your servers. That means no more log forging attacks for you--great news for your application! Wallarm's solution to defend against this attack is simple: - don't trust logs! Wallarm products: API Security Platform, Cloud WAF

It is important to prevent log forging attacks because they can result in many different outcomes including: denial-of-service (DoS), theft of user data, loss of intellectual property (IP) or the ability for cybercriminals to gain unauthorized access to your network.

Conclusion

The world is changing and hackers are adapting to this new reality. As a result, it is important to stay up to date on the latest information and protection methods that can help you and your company remain safe.