This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Poor Logging Practice"

From OWASP
Jump to: navigation, search
m (Moved page into the right category. See Java space page for me details. Content has not been reviewed in this edit.)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Template:Vulnerability}}
 
{{Template:Vulnerability}}
 
{{Template:Fortify}}
 
{{Template:Fortify}}
 
__TOC__
 
 
[[ASDR Table of Contents]]
 
  
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
+
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]
 
 
 
  
 
==Description==
 
==Description==
  
 +
===Logger Not Declared Static Final===
 
Loggers should be declared to be static and final.
 
Loggers should be declared to be static and final.
  
 
It is good programming practice to share a single logger object between all of the instances of a particular class and to use the same logger for the duration of the program.
 
It is good programming practice to share a single logger object between all of the instances of a particular class and to use the same logger for the duration of the program.
  
 +
The following statement errantly declares a non-static logger.
  
==Risk Factors==
+
<pre>
 +
private final Logger logger =    
 +
Logger.getLogger(MyClass.class);
 +
</pre>
  
TBD
+
===Poor Logging Practice: Multiple Loggers===
 +
It is a poor logging practice to use multiple loggers rather than logging levels in a single class.
  
==Examples==
+
Good logging practice dictates the use of a single logger that supports different logging levels for each class.
  
The following statement errantly declares a non-static logger.
+
The following code errantly declares multiple loggers.
  
 
<pre>
 
<pre>
private final Logger logger =     
+
public class MyClass {
 +
  private final static Logger good =   
 +
Logger.getLogger(MyClass.class);
 +
  private final static Logger bad =   
 +
Logger.getLogger(MyClass.class);
 +
  private final static Logger ugly =     
 
Logger.getLogger(MyClass.class);
 
Logger.getLogger(MyClass.class);
 +
  ...
 +
}
 +
 +
</pre>
 +
 +
===Use of a System Output Stream===
 +
Using System.out or System.err rather than a dedicated logging facility makes it difficult to monitor the behavior of the program. It can also cause log messages accidentally returned to the end users, revealing internal information to attackers.
 +
 +
The first Java program that a developer learns to write often looks like this:
 +
 +
<pre>
 +
public class MyClass
 +
  public static void main(String[] args) {
 +
System.out.println("hello world");
 +
  }
 +
}
 
</pre>
 
</pre>
 +
 +
While most programmers go on to learn many nuances and subtleties about Java, a surprising number hang on to this first lesson and never give up on writing messages to standard output using System.out.println().
 +
 +
The problem is that writing directly to standard output or standard error is often used as an unstructured form of logging. Structured logging facilities provide features like logging levels, uniform formatting, a logger identifier, timestamps, and, perhaps most critically, the ability to direct the log messages to the right place. When the use of system output streams is jumbled together with the code that uses loggers properly, the result is often a well-kept log that is missing critical information. In addition, using system output streams can also cause log messages accidentally returned to end users, revealing application internal information to attackers.
 +
 +
Developers widely accept the need for structured logging, but many continue to use system output streams in their "pre-production" development. If the code you are reviewing is past the initial phases of development, use of System.out or System.err may indicate an oversight in the move to a structured logging system.
 +
 +
==Risk Factors==
 +
 +
TBD
 +
 +
==Examples==
  
  
Line 62: Line 95:
 
* http://www.link1.com
 
* http://www.link1.com
 
* [http://www.link2.com Title for the link2]
 
* [http://www.link2.com Title for the link2]
 
[[Category:FIXME|add links
 
 
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 
 
Availability Vulnerability
 
 
Authorization Vulnerability
 
 
Authentication Vulnerability
 
 
Concurrency Vulnerability
 
 
Configuration Vulnerability
 
 
Cryptographic Vulnerability
 
 
Encoding Vulnerability
 
 
Error Handling Vulnerability
 
 
Input Validation Vulnerability
 
 
Logging and Auditing Vulnerability
 
 
Session Management Vulnerability]]
 
  
 
__NOTOC__
 
__NOTOC__
Line 97: Line 104:
 
[[Category:Implementation]]
 
[[Category:Implementation]]
 
[[Category:Code Snippet]]
 
[[Category:Code Snippet]]
[[Category:Logging and Auditting Vulnerability]]
+
[[Category:Logging and Auditing Vulnerability]]
 
[[Category:Vulnerability]]
 
[[Category:Vulnerability]]

Latest revision as of 21:49, 10 November 2017

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

This article includes content generously donated to OWASP by MicroFocus Logo.png

Last revision (mm/dd/yy): 11/10/2017

Vulnerabilities Table of Contents

Description

Logger Not Declared Static Final

Loggers should be declared to be static and final.

It is good programming practice to share a single logger object between all of the instances of a particular class and to use the same logger for the duration of the program.

The following statement errantly declares a non-static logger.

	private final Logger logger =     
				Logger.getLogger(MyClass.class);

Poor Logging Practice: Multiple Loggers

It is a poor logging practice to use multiple loggers rather than logging levels in a single class.

Good logging practice dictates the use of a single logger that supports different logging levels for each class.

The following code errantly declares multiple loggers.

	public class MyClass {
	  private final static Logger good =     
				Logger.getLogger(MyClass.class);
	  private final static Logger bad =     
				Logger.getLogger(MyClass.class);
	  private final static Logger ugly =     
				Logger.getLogger(MyClass.class);
	  ...
	}

Use of a System Output Stream

Using System.out or System.err rather than a dedicated logging facility makes it difficult to monitor the behavior of the program. It can also cause log messages accidentally returned to the end users, revealing internal information to attackers.

The first Java program that a developer learns to write often looks like this:

	public class MyClass 
	  public static void main(String[] args) {
		System.out.println("hello world");
	  }
	}

While most programmers go on to learn many nuances and subtleties about Java, a surprising number hang on to this first lesson and never give up on writing messages to standard output using System.out.println().

The problem is that writing directly to standard output or standard error is often used as an unstructured form of logging. Structured logging facilities provide features like logging levels, uniform formatting, a logger identifier, timestamps, and, perhaps most critically, the ability to direct the log messages to the right place. When the use of system output streams is jumbled together with the code that uses loggers properly, the result is often a well-kept log that is missing critical information. In addition, using system output streams can also cause log messages accidentally returned to end users, revealing application internal information to attackers.

Developers widely accept the need for structured logging, but many continue to use system output streams in their "pre-production" development. If the code you are reviewing is past the initial phases of development, use of System.out or System.err may indicate an oversight in the move to a structured logging system.

Risk Factors

TBD

Examples

Related Attacks


Related Vulnerabilities

Related Controls


Related Technical Impacts


References

Note: A reference to related CWE or CAPEC article should be added when exists. Eg: