Answered step by step
Verified Expert Solution
Question
1 Approved Answer
Could someone help me understand this input validation and data validation(do not log user input) i really need help if you could explain this to
Could someone help me understand this input validation and data validation(do not log user input) i really need help if you could explain this to me in detail it is an SEI cert oracle coding standard for java.
IDSO3-J. Do not log unsanitized user input Created by Dhruv Mohindra, last modified by Will Snavely on Feb 12, 2018 A log injection vulnerability arises when a log entry contains unsanitized user input. A malicious user can insert fake log data and consequently deceive systenm administrators as to the system's behavior [OWASP 2008]. For example, an attacker might split a legitimate log entry into two log entries by entering a carriage return and line feed (CRLF) sequence to mislead an auditor. Log injection attacks can be prevented by sanitizing and validating any untrusted input sent to a log Logging unsanitized user input can also result in leaking sensitive data across a trust boundary. For example, an attacker might inject a script into a log file such that when the file is viewed using a web browser, the browser could provide the attacker with a copy of the administrator's cookie so that the attacker might gain access as the administrator. Noncompliant Code Example This noncompliant code example logs untrusted data from an unauthenticated user without data sanitization. if (loginSuccessful) logger.severe("User login succeeded for: " username); else ( logger.severe("User login failed for:"username); Without sanitization, a log injection attack is possible. A standard log message when username is guest might look like this: May 15, 2011 2:19:10 PM java.util.logging. LogManagersRootLogger log SEVERE: User login failed for: guestStep by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started