Web applications widely use the logging functionality, but improper handling can bring serious security threats. An attacker can trigger the execution of malicious data by writing malicious data to the web application logs and then accessing the view–logs interface, resulting in a vulnerability of the web application log injection. However, detecting this type of vulnerability requires automatic discovery of log-injectable interfaces and view–logs interfaces, which is difficult. In addition, bypasssing the application-specific input-filtering checks to write an effective payload to the log is also challenging. This paper proposes LogInjector, an efficient web application log injection vulnerability detection method. First, it obtains the log storage form and location and then finds the log-injectable interfaces through the extended dynamic crawler. Second, it automatically identifies the web application view–logs interfaces. Finally, LogInjector utilizes a dynamic testing approach based on the feedback-guided mutation to detect web application log injection vulnerabilities. To verify the effectiveness of LogInjector, we test it in 14 popular web applications in real-world cases and compare it with Black Widow, the state-of-the-art web vulnerability scanner. LogInjector detects 16 web application log injection vulnerabilities, including 6 zero-day vulnerabilities, while Black Widow can only detect three log injection vulnerabilities, demonstrating the effectiveness of LogInjector in practice.
Read full abstract