I got the veracode report for my javaEE app. It had a flaw at any logging (using log4j), so I add the StringEscapeUtils.escapeJava(log)
to all of them, but veracode keeps reporting them as security flaws.
Is this a right solution? What else can I do?
This is the report info: Title: Improper Output Neutralization for Logs
Description: A function call could result in a log forging attack. Writing unsanitized user-supplied data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible.
Recommendations: Avoid directly embedding user input in log files when possible. Sanitize user-supplied data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Only write custom blacklisting code when absolutely necessary. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
They recommend to use ESAPI, but it is a very big project so I need the simplest solution, tht's why I tried with String.escape 'StringEscapeUtils.escapeJava(log)'
Thx in advanced!
I head up the Veracode Application Security Consulting group, and can answer your question in detail. The best venue for the conversation is through [email protected], since the discussion may involve specific details about your findings that we probably want to avoid making public.
The short answer is the StringEscapeUtils.escapeJava() is effective at eliminating typical CRLF risk, but it is not one of the mechanisms our system automatically recognizes as there are situations in which it may be insufficient.
The Veracode system has a mechanism for marking these findings appropriately so they do not cause confusion.
Please contact Veracode Support ([email protected]), and we'll be able to talk in detail.
Best regards, Jim.