Audit required: Insecure use of logger PHP-A1011

Logging user-provided values directly can put application vulnerable to multiple attack vectors. Superglobal variables contains values specified by the user, which are considered as tainted and untrusted. Therefore, it is discouraged to pass these variables directly to the logger.

Attack scenario

Consider a web application that logs user input directly without proper sanitization. An attacker can exploit this by injecting malicious scripts into the input fields. For example, if the application logs user comments directly, an attacker could submit a comment containing a script tag:

$_POST['comment'] = "<script>alert('XSS');</script>";
error_log($_POST['comment']);

If the log file is viewed in a web-based log viewer that renders HTML, the script will execute, leading to a Cross-Site Scripting (XSS) attack. This can compromise the security of the application and the data of other users.

Bad practice

error_log($_POST);

Recommended

error_log('Message: ' . htmlspecialchars($_POST['message']));

References

• OWASP Top 10:2021 > A09 - Security Logging and Monitoring Failures
• OWASP Top 10:2017 > A10 - Insufficient Logging & Monitoring
• CWE-117: Improper Output Neutralization for Logs
• CWE-532: Insertion of Sensitive Information into Log File