Web Security Workbook

# Security Logging and Monitoring Failures

Logging and monitoring failures helps developers to detect, escalate and respond to attacks.

A09:2021

# Background

# Context

Logging describes the creation of so called log files. These files store data about events that take place within the system. With these files a developer should be capable of recreating certain time frames in order to understand a users interaction with the system to recognize attacks.

This following only covers when you should log, what should be contained in a log and what should not. Further details: OWASP Logging Cheat Sheet (opens new window)

When should you log? At:

  • Requests and responses
  • Authentication processes
    • Usage of certain privileges
    • Changes in an account
  • Application metainformation
    • Transactions and their size
    • Shutting down and starting
    • Crashes
    • Configuration changes
  • Errors
    • Input or output
    • Authorization
    • Runtime

What should be logged? Answer:

Question Description
When Timestamp with its timezone
Where Location of the application the log originates from. For example URL endpoint and HTTP method
Who A distinct attribute of the user causing the log (session information (like the session id) is not recommended)
What The resource causing the log (for example the Book resource with id 123)
Why Short description of the reasons why the log was created (for example "Creation of Book 123")

What should not be logged:

  • Source code
  • Access tokens
  • Sensitive personal data
  • Secrets of any kind
  • ...

# Problems

  • Data needs to be logged in an understandable format
  • Balance between necessary and unnecessary logs needs to be found
  • Logs need to be protected
  • Logs also have to be monitored

# Solutions

# Technology

As seen above, logging is, just as authorization, a task that is not generic. Therefore, the following loggers only support the creation of logs without offering high Security by Default. The only exception is Express' morgan (opens new window) library that partially fulfills the above requirements. Nevertheless, developers still have to care about storage, protection and monitoring of these logs.

For a more detailed review of the existing loggers (morgan, winston, Spring Boot logging) please review the Master's Thesis

Last Updated: 7/3/2022, 3:51:46 PM

Server-Side Request Forgery (SSRF)