This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Poor Logging Practice: Use of a System Output Stream"

From OWASP
Jump to: navigation, search
(Added contents provided by Fortify.)
 
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Template:Vulnerability}}
+
{{template:CandidateForDeletion}}
{{Template:Fortify}}
 
  
==Abstract==
+
#REDIRECT [[Poor Logging Practice]]
  
Using System.out or System.err rather than a dedicated logging facility makes it difficult to monitor the behavior of the program. It can also cause logging information accidentally returned to the end users, revealing internal information to attackers.
+
 
 +
 
 +
 
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
  
'''Examples'''
+
Using System.out or System.err rather than a dedicated logging facility makes it difficult to monitor the behavior of the program. It can also cause log messages accidentally returned to the end users, revealing internal information to attackers.
 +
 
 +
 
 +
==Risk Factors==
 +
 
 +
TBD
 +
 
 +
 
 +
==Examples==
  
 
The first Java program that a developer learns to write often looks like this:
 
The first Java program that a developer learns to write often looks like this:
Line 26: Line 36:
 
Developers widely accept the need for structured logging, but many continue to use system output streams in their "pre-production" development. If the code you are reviewing is past the initial phases of development, use of System.out or System.err may indicate an oversight in the move to a structured logging system.
 
Developers widely accept the need for structured logging, but many continue to use system output streams in their "pre-production" development. If the code you are reviewing is past the initial phases of development, use of System.out or System.err may indicate an oversight in the move to a structured logging system.
  
==Related Threats==
 
  
==Related Attacks==
+
==Related [[Attacks]]==
 +
 
 +
* [[Attack 1]]
 +
* [[Attack 2]]
 +
 
 +
 
 +
==Related [[Vulnerabilities]]==
 +
 
 +
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
 +
 
 +
==Related [[Controls]]==
 +
 
 +
* [[Control 1]]
 +
* [[Control 2]]
 +
 
  
==Related Vulnerabilities==
+
==Related [[Technical Impacts]]==
  
==Related Countermeasures==
+
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
  
==Categories==
 
  
[[Category:Code Quality Vulnerability]]
+
==References==
 +
Note: A reference to related [http://cwe.mitre.org/ CWE] or [http://capec.mitre.org/ CAPEC] article should be added when exists. Eg:
  
[[Category:Java]]
+
* [http://cwe.mitre.org/data/definitions/79.html CWE 79].
 +
* http://www.link1.com
 +
* [http://www.link2.com Title for the link2]
  
[[Category:Implementation]]
 
  
[[Category:Code Snippet]]
 
  
[[Category:Logging and Auditing Vulnerability]]
+
__NOTOC__

Latest revision as of 23:28, 7 April 2009

Template:CandidateForDeletion

#REDIRECT Poor Logging Practice



Last revision (mm/dd/yy): 04/7/2009

Description

Using System.out or System.err rather than a dedicated logging facility makes it difficult to monitor the behavior of the program. It can also cause log messages accidentally returned to the end users, revealing internal information to attackers.


Risk Factors

TBD


Examples

The first Java program that a developer learns to write often looks like this:

	public class MyClass 
	  public static void main(String[] args) {
		System.out.println("hello world");
	  }
	}

While most programmers go on to learn many nuances and subtleties about Java, a surprising number hang on to this first lesson and never give up on writing messages to standard output using System.out.println().

The problem is that writing directly to standard output or standard error is often used as an unstructured form of logging. Structured logging facilities provide features like logging levels, uniform formatting, a logger identifier, timestamps, and, perhaps most critically, the ability to direct the log messages to the right place. When the use of system output streams is jumbled together with the code that uses loggers properly, the result is often a well-kept log that is missing critical information. In addition, using system output streams can also cause log messages accidentally returned to end users, revealing application internal information to attackers.

Developers widely accept the need for structured logging, but many continue to use system output streams in their "pre-production" development. If the code you are reviewing is past the initial phases of development, use of System.out or System.err may indicate an oversight in the move to a structured logging system.


Related Attacks


Related Vulnerabilities

Related Controls


Related Technical Impacts


References

Note: A reference to related CWE or CAPEC article should be added when exists. Eg: