Technical information leak - Console functions - C-Sharp

Technical information leak - Console functions - C-Sharp

Need

Secure logging and information handling

Context

  • Usage of C# for developing robust and efficient software applications
  • Usage of System for accessing and manipulating system-level resources and functionalities

Description

Non compliant code

        using System;

namespace VulnerableApp
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Application Started");

            try
            {
                Console.WriteLine("Trying to connect to the database");
                // Database connection code here
            }
            catch (Exception ex)
            {
                Console.WriteLine("An error occurred: " + ex.Message);
            }

            Console.WriteLine("Application Ended");
        }
    }
}
        
        

The code above is a simple representation of a C# backend application using ASP.NET Core. The application tries to connect to a database and logs the progress and any exceptions that occur during the process.

The vulnerability lies in the usage of Console.WriteLine() function which is used to log information to the console.

1. Console.WriteLine("Application Started");
- This line of code logs the information that the application has started. This could potentially give away information about when certain processes begin in the application.

2. Console.WriteLine("Trying to connect to the database");
- This line of code logs the information that the application is trying to connect to the database. This could potentially give away information about the application's interactions with the database.

3. Console.WriteLine("An error occurred: " + ex.Message);
- This line of code logs any exception that occurs in the application. This could potentially give away sensitive information about the application's structure, logic, or technologies used.

4. Console.WriteLine("Application Ended");
- This line of code logs the information that the application has ended. This could potentially give away information about when certain processes end in the application.

By logging such information to the console, it could potentially be accessed by unauthorized individuals who could use this information to exploit vulnerabilities in the application. Therefore, it is recommended to avoid using console functions to log information in a production environment.

Steps

  • Remove or replace the usage of console functions (log, info, warning) in production environments.
  • Implement a proper logging framework, such as Serilog or NLog, to handle logging in the application.
  • Configure the logging framework to write logs to a secure and centralized location, such as a log file or a log management system.
  • Ensure that sensitive information, such as database connection strings or error messages, are not logged or are properly obfuscated.
  • Implement proper exception handling and logging within the catch block to capture and handle exceptions without leaking sensitive information.

Compliant code

        using System;
using Serilog;

namespace SecureApp
{
    class Program
    {
        static void Main(string[] args)
        {
            Log.Logger = new LoggerConfiguration()
                .WriteTo.Console()
                .WriteTo.File("logs\\\\myapp.txt", rollingInterval: RollingInterval.Day)
                .CreateLogger();

            Log.Information("Application Started");

            try
            {
                Log.Information("Trying to connect to the database");
                // Database connection code here
            }
            catch (Exception ex)
            {
                Log.Error("An error occurred: {Message}", ex.Message);
            }

            Log.Information("Application Ended");
            Log.CloseAndFlush();
        }
    }
}
        
        

The above code uses the Serilog logging library instead of the Console functions to log information. Serilog is a robust and flexible logging framework that can be easily configured to write logs to various outputs (sinks), such as the console, files, or log management systems.

In the Main method, the Log.Logger is configured to write logs to the console and a daily rolling file. The Log.Information method is used to log informational messages, and the Log.Error method is used to log error messages.

In the catch block, the exception message is logged as an error. Note that the exception message is included as a structured property ( {Message}) in the log message template. This allows Serilog to capture and store the property in a structured way, which can be useful for filtering or searching logs.

Finally, the Log.CloseAndFlush method is called to ensure that all log events are flushed to their sinks before the application exits.

This approach ensures that logs are written to a secure and centralized location, and that sensitive information is not leaked through the logs. It also provides a more robust and flexible logging solution than using Console functions.

References