Sensitive information stored in logs - C-Sharp

Sensitive information stored in logs - C-Sharp

Need

Protection of sensitive information in log files

Context

  • Usage of C# for building robust and scalable applications
  • Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core
  • Usage of Microsoft.Extensions.Logging for logging and tracing in .NET applications

Description

Non compliant code

        public class HomeController : Controller
{
    private readonly ILogger _logger;

    public HomeController(ILogger logger)
    {
        _logger = logger;
    }

    public IActionResult Login(string username, string password)
    {
        _logger.LogInformation("User {Username} attempted to login with password {Password}", username, password);

        // Logic for user authentication

        return View();
    }
}
        
        

The above code is an example of an ASP.NET Core controller that logs sensitive information. In this case, the Login action logs both the username and password of a user attempting to login.

The ILogger interface is used to log information. The ILogger instance _logger is injected into the HomeController using dependency injection.

The vulnerability lies in the Login action where the ILogger.LogInformation method is used to log the username and password. This is a security vulnerability because it exposes sensitive user data in the application logs. If these logs were to be accessed by an unauthorized user, they could potentially use this information for malicious purposes.

Steps

  • Avoid logging sensitive information such as credentials, bank accounts, and file paths.
  • Instead of logging sensitive information directly, log only non-sensitive information or log a generic message.
  • If necessary, use placeholders or tokens in log messages to represent sensitive information without actually logging it.
  • Ensure that the log level is appropriately set to prevent sensitive information from being logged in production environments.
  • Regularly review and sanitize log files to remove any accidentally logged sensitive information.

Compliant code

        public class HomeController : Controller
{
    private readonly ILogger _logger;

    public HomeController(ILogger logger)
    {
        _logger = logger;
    }

    public IActionResult Login(string username, string password)
    {
        // Do not log password
        _logger.LogInformation("User {Username} attempted to login", username);

        // Logic for user authentication

        return View();
    }
}
        
        

The original code was logging sensitive information, specifically the user's password, which is a security vulnerability. This could potentially expose sensitive user information to unauthorized individuals who gain access to the log files.

The revised code removes the logging of the password. Now, when a user attempts to login, the log will only record the username of the user who is trying to login, not their password. This reduces the risk of sensitive information being exposed.

In general, it's important to avoid logging sensitive information such as credentials, bank accounts, and file paths. Instead, log only non-sensitive information or a generic message. If necessary, use placeholders or tokens in log messages to represent sensitive information without actually logging it. Ensure that the log level is appropriately set to prevent sensitive information from being logged in production environments. Regularly review and sanitize log files to remove any accidentally logged sensitive information.

References