Credentials exposed in logs

Credentials exposed in logs

Risk: medium

Description

While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers.

Recommendation

• Remove debug log files before deploying the application into production
• Adjust configurations appropriately when software is transitioned from a debug state to production.

Links

• Practices for Protecting Electronic Restricted Data: A Quick Reference
• CWE-200: Information Exposure
• CWE-359: Exposure of Private Information ("Privacy Violation")
• DRD04-J. Do not log sensitive information
• ERR02-J. Prevent exceptions while logging data
• Logging methods ( Log sparingly )

Standards

• OWASP_MASVS_L1:
  • MSTG_STORAGE_3
• OWASP_MASVS_L2:
  • MSTG_STORAGE_3
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_2
  • REQ_3_3
  • REQ_6_2
  • REQ_10_3