Insufficient Logging and Monitoring
Hello Friends!
This is my 20th blog on web application security penetration testing. In this blog I will explain about Sensitive Information which is stored in System Logs. This bug comes under OWASP TOP 10 category [Insufficient Logging and Monitoring].
In my last blog, I have explained about Account Takeover [Via Host Header Injection] Hope everyone liked it. If you haven’t read it yet please follow along.
To demonstrate this with live example I would like to take example of one of android app which I have tested for one of the vendor. To honor the client’s confidentiality policy, Let’s consider the App name is redacted and given android .apk file was redacted.apk
Note This example require a bit knowledge of Android application Static Penetration Testing. If you don’t have that knowledge at this moment then don’t worry. I am planning for writing separate blog lists on android pen-testing. I will cover that part later.
Pre-exploitation-steps:
- I have installed redacted.apk app on my rooted android device.
- I have connected to same wi-fi on my phone and laptop.
- Install Platform-tools on your windows machine which has pre-installed adb utility.
- To connect my rooted android phone with laptop, I have used ADB Wi-fi app from rooted android device which gives you IP address of android device and default Port to connect. Here, e.g. [172.31.98.42:5555]
Below is the simple step by step POC:
- Navigate to platform tools folder from windows command prompt.
2. Connect your laptop to the computer using adb connect.
Command: adb connect IP:PORT
(Here, adb connect 172.31.98.42:5555) Notice we have connected to the rooted android device successfully from our windows computer.
3. Type below command to capture all the logs from redacted mobile app.
Note: App is running on rooted android device.
Command: adb logcat > OutputLogFile.txt
Now, I have navigated to below screens in android app,
Registration Page [Filled registration details]
Login Page [Logged in into application]
Booking Page [Entered booking details]
After the above activities, Open our log file outputlog.txt which was capturing application logs in the background while user doing above activities in the redacted mobile app.
Registration details got into application logs as shown below,
Login details found into application logs as shown below,
Booking Details found into application logs as shown below,
Impact:
The information contained in the logs can expose sensitive data to a malicious user/malicious application, through which an attacker can further use to take over the user accounts.
Remediation:
Secure logging endpoints in to the web application. for ex: https://www.redacted.com/logs.txt from the public users
If dealing with mobile applications then, It is recommended to review the application code and remove all log messages which were used during the development phases. The logs should only be used to identify application error messages and should not contain sensitive customer information.
Hope you people are enjoying reading my blogs. If you have any suggestions then please comment and do subscribe to my medium channel.
Please follow along for more reads!
Thanks!
