Credentials exposed in logs
Credentials exposed in logs
Description
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers.
Recommendation
- Remove debug log files before deploying the application into production
- Adjust configurations appropriately when software is transitioned from a debug state to production.
Links
- Practices for Protecting Electronic Restricted Data: A Quick Reference
- CWE-200: Information Exposure
- CWE-359: Exposure of Private Information ("Privacy Violation")
- DRD04-J. Do not log sensitive information
- ERR02-J. Prevent exceptions while logging data
- Logging methods ( Log sparingly )
Standards
- OWASP_MASVS_L1:
- MSTG_STORAGE_3
- OWASP_MASVS_L2:
- MSTG_STORAGE_3