{ "slug": "log_injection", "term": "Log Injection", "category": "security", "difficulty": "intermediate", "short": "Writing unsanitised user input into log files allows attackers to forge log entries or inject control characters.", "long": "Log injection lets an attacker craft input containing newlines to insert fake log entries — hiding their activity or framing innocent users. It can also be used to inject terminal escape sequences that exploit log-viewing tools. Sensitive data (passwords, tokens, credit card numbers) should never appear in logs at all. Safe logging strips newlines, limits length, strips HTML tags, and redacts sensitive field names.", "aliases": [ "log forging", "log poisoning input", "log tampering" ], "tags": [ "injection", "logging", "cwe-117" ], "misconception": "Log injection is only a cosmetic issue affecting log readability. Injecting newlines lets attackers forge log entries, hide their activity, and — when logs are included via LFI — escalate to remote code execution.", "why_it_matters": "Attacker-controlled log entries can hide malicious activity, fake legitimate events, or inject executable code if logs are later parsed by a vulnerable tool.", "common_mistakes": [ "Logging raw $_SERVER['HTTP_USER_AGENT'] or referer strings that contain newlines and control characters.", "Not stripping or escaping newline characters from all values before writing to log files.", "Using log injection to create fake entries in security logs to obscure a breach.", "Including user-supplied email addresses or usernames in log output without sanitisation." ], "when_to_use": [], "avoid_when": [], "related": [ "sensitive_data_exposure" ], "prerequisites": [ "input_validation", "structured_logging", "information_disclosure" ], "refs": [ "https://owasp.org/www-community/attacks/Log_Injection", "https://cwe.mitre.org/data/definitions/117.html" ], "bad_code": "// User input written directly to log — attacker forges log entries\n\\$user = \\$_GET['username'];\nerror_log(\"Login attempt for user: \\$user\");\n// ?username=admin%0aINFO: Login successful for admin", "good_code": "// Sanitise newlines before logging user-supplied values\n\\$user = str_replace([\"\\r\",\"\\n\",\"\\t\"], ' ', \\$_GET['username'] ?? '');\n\n// Better: structured logging — each field is JSON-encoded\n\\$logger->info('Login attempt', [\n 'username' => \\$user, // newlines harmless inside JSON string\n 'ip' => \\$request->ip(),\n]);", "quick_fix": "Strip newlines from any user data before logging; use structured logging (Monolog with JSON handler) so fields are always separate", "severity": "medium", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/log_injection", "html_url": "https://codeclaritylab.com/glossary/log_injection", "json_url": "https://codeclaritylab.com/glossary/log_injection.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Log Injection](https://codeclaritylab.com/glossary/log_injection) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/log_injection" } } } }