Credentials exposed in logs

Credentials exposed in logs

Risk: medium

Description

While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers.

Recommendation

To avoid leaking credentials in application logs, consider the following:

• Ensure that your logging framework or system does not include sensitive information like passwords or API keys in logs. Review your code for any sensitive data being logged.
• Set logging levels to debug to avoid having sensitive information logged in production app.
• Remove debug log files before deploying the application into production.
• Adjust configurations appropriately when software is transitioned from a debug state to production.
• Remove any test credentials or hardcoded credentials before deploying the application.

Links

• Practices for Protecting Electronic Restricted Data: A Quick Reference
• CWE-200: Information Exposure
• CWE-359: Exposure of Private Information ("Privacy Violation")
• DRD04-J. Do not log sensitive information
• ERR02-J. Prevent exceptions while logging data
• Logging methods ( Log sparingly )

Standards

• OWASP_MASVS_L1:
  • MSTG_STORAGE_3
• OWASP_MASVS_L2:
  • MSTG_STORAGE_3
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_2
  • REQ_3_3
  • REQ_6_2
  • REQ_10_3
• OWASP_MASVS_v2_1:
  • MASVS_STORAGE_2
• SOC2_CONTROLS:
  • CC_2_1
  • CC_4_1
  • CC_7_1
  • CC_7_2
  • CC_7_4
  • CC_7_5