18
Know Thy System:
Application File System Integrity
•Protecting the logs
–Make it harder for the hacker to cover their tracks
–Holding real-time/one-way copy of log
–Keep log file different, protected server
•
•Sanitizing log files
–Avoid being hacked while logging attacks, such as log spoofing attacks and format string attacks
–Sanitize user input before log insertion - block attacks trying to erase logs by sending special characters (like the ASCII value of backspaces)
–Remove other special characters
•e.g. ‘%’ used to run ‘format string attack’ on logging utility such as syslogs functions
Make sure that special control characters are sanitized before they are passed to the log files.  They best way to do this is to scrub them before they are accepted as input.

The Web server owns and updates the log files.  Clever hackers will try to trick the Web server into altering the recorded data by throwing encoded backspace and delete characters into the URL.

Other special characters can be used to  attack log files at the OS level by tricking the Web server to issues commands to alter, remove, or otherwise damage system log files.

IMAGE – hacker trying to reach for a cookie jar (labeled log files) on a shelf out of reach