CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Log Injection

Security CWE-117 OWASP A9:2021 CVSS 5.3 PHP 5.0+ Intermediate
debt(d5/e3/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list Semgrep as the primary tool, with a specific code pattern targeting raw user input in logging calls. This is not caught by a compiler or default linter, but Semgrep (a SAST tool) can detect the pattern automatically when configured.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix states: strip newlines from user data before logging, or switch to structured logging with Monolog/JSON handler. This is a small, repeatable fix pattern applied wherever user input is logged — not a single one-liner across the whole codebase, but also not a cross-cutting architectural refactor. It requires identifying and patching multiple logging call sites.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). Log injection applies to web, cli, and queue-worker contexts, so it touches multiple entry points, but it is fundamentally a logging concern. Once structured logging or a sanitisation helper is in place, the ongoing burden is modest. It does not reshape the architecture or impose a persistent productivity tax on unrelated work streams.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field explicitly states that developers believe log injection is 'only a cosmetic issue affecting log readability.' In reality it can forge security log entries to hide breaches and, via LFI, escalate to remote code execution. This contradicts the intuitive belief that logs are inert output, making it a serious cognitive trap that experienced developers still frequently fall into.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-10 · reviewed by human

Also Known As

log forging log poisoning input log tampering

TL;DR

Writing unsanitised user input into log files allows attackers to forge log entries or inject control characters.

Explanation

Log injection lets an attacker craft input containing newlines to insert fake log entries — hiding their activity or framing innocent users. It can also be used to inject terminal escape sequences that exploit log-viewing tools. Sensitive data (passwords, tokens, credit card numbers) should never appear in logs at all. Safe logging strips newlines, limits length, strips HTML tags, and redacts sensitive field names.

Common Misconception

Log injection is only a cosmetic issue affecting log readability. Injecting newlines lets attackers forge log entries, hide their activity, and — when logs are included via LFI — escalate to remote code execution.

Why It Matters

Attacker-controlled log entries can hide malicious activity, fake legitimate events, or inject executable code if logs are later parsed by a vulnerable tool.

Common Mistakes

  • Logging raw $_SERVER['HTTP_USER_AGENT'] or referer strings that contain newlines and control characters.
  • Not stripping or escaping newline characters from all values before writing to log files.
  • Using log injection to create fake entries in security logs to obscure a breach.
  • Including user-supplied email addresses or usernames in log output without sanitisation.

Code Examples

✗ Vulnerable 
// User input written directly to log — attacker forges log entries
$user = $_GET['username'];
error_log("Login attempt for user: $user");
// ?username=admin%0aINFO: Login successful for admin
✓ Fixed 
// Sanitise newlines before logging user-supplied values
$user = str_replace(["\r","\n","\t"], ' ', $_GET['username'] ?? '');

// Better: structured logging — each field is JSON-encoded
$logger->info('Login attempt', [
    'username' => $user,   // newlines harmless inside JSON string
    'ip'       => $request->ip(),
]);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 47

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 0 pings T 4 pings F 0 pings S 0 pings S 1 ping M 2 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 1 ping M 1 ping T 0 pings W
Agents 0
No pings yet today
PetalBot 1
Ahrefs 8 Amazonbot 7 Scrapy 6 SEMrush 5 Google 3 Perplexity 2 Claude 2 Bing 2 ChatGPT 2 Meta AI 1 Majestic 1 PetalBot 1
Also referenced
Sensitive Data Exposure 64
How they use it
crawler 37 crawler_json 3
Related categories
security 7.9k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Strip newlines from any user data before logging; use structured logging (Monolog with JSON handler) so fields are always separate
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
error_log($_GET[ or $logger->info($_POST[ with raw user input containing newlines
Auto-detectable: ✓ Yes semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✓ Auto-fixable Fix: Low Context: Line
CWE-117
✓ schema.org compliant