OWASP Top 10 part 9: Security Logging and Monitoring Failures

21 October 2024 2 minutes Author: Lady Liberty

The article deals with security logging and monitoring vulnerabilities. It addresses common logging errors such as insufficient logging, lack of monitoring, or unreliable access to logs.

Security logging and monitoring errors are deficiencies in security event monitoring and recording systems.

1. Insufficient login

  • Description: Logging does not provide a sufficient level of detail for incident detection and investigation.

  • Example: Failure to record important events or insufficient detail in event logs.

2. Lack of monitoring

  • Description: Lack of continuous monitoring to detect abnormal or dangerous events.

  • Example: A web application has no monitoring configured to detect suspicious requests or access attempts.

3. Unreliable access to logs

  • Description: Untrusted access to event logs, which allows attackers to manipulate or delete entries.

  • Example: Logs are stored in open access without proper protection, which allows attackers to modify or delete them.

1. Disabled Logging

Blue team

Logging must be enabled to monitor events and anomalies in the system. To do this, configure logging in Nginx by making sure access and error logging is enabled in the /etc/nginx/nginx.conf configuration file. This will allow recording all important events and help identify potential threats.

Red team

Attackers may try to disable or delete logs to cover their tracks. It is worth checking whether there is an option to disable logging in the system. To do this, use commands to change the configuration files and observe how the system reacts to these changes. This will reveal potential weaknesses in logging.

2. Warnings/Errors Generate Bad or Unclear Log Messages

Blue team

Error messages should be clear and useful for diagnosing problems. Configure Sentry to handle PHP errors:

Configure Sentry or similar tools to monitor and alert errors, provide detailed messages.

Red team

Testing the system for the possibility of generating vague or generic error messages. Use invalid queries to check if the system generates common errors:

Observe errors and test their clarity and usefulness to attackers.

 3. Logs are Only Stored Locally

Blue team

Logs should be stored in a centralized system to prevent them from being deleted during an attack. Configuring ELK Stack (Elasticsearch, Logstash, Kibana) for centralized log storage.

Red team

Testing for the possibility of deleting local logs or affecting their storage. Try deleting or modifying local logs:

Other related articles
OWASP Top 10
Read more
OWASP Top 10 part 1: Broken Access Control
Broken Access Control is one of the most dangerous vulnerabilities in the OWASP Top 10 list, which allows attackers to bypass access control mechanisms, gain access to sensitive data, and perform unauthorized operations.
408
Found an error?
If you find an error, take a screenshot and send it to the bot.