Corgea LogoCorgea Security Hub

CWE-778: Insufficient Logging

Learn about CWE-778 (Insufficient Logging), its security impact, exploitation methods, and prevention guidelines.

What is Insufficient Logging?

• Overview: Insufficient Logging (CWE-778) occurs when a software product fails to log security-critical events or omits important details in the logs, making it difficult to detect malicious activities or conduct forensic analysis after an attack.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by performing actions that trigger security-critical events without being detected due to insufficient logging.
  • Common attack patterns include repeated failed login attempts, unauthorized access attempts, or privilege escalation activities that go unnoticed due to inadequate logging.

• Security Impact:

  • Direct consequences include the inability to detect and respond to security incidents in a timely manner.
  • Potential cascading effects involve an increased risk of undetected breaches and attacks, making it challenging to trace and attribute malicious activities.
  • The business impact could involve financial loss, reputational damage, and compliance violations due to inadequate incident detection and response capabilities.

• Prevention Guidelines:

  • Specific code-level fixes include ensuring that logging mechanisms record all security-critical events with sufficient detail, such as timestamps, user IDs, and event descriptions.
  • Security best practices involve configuring logging systems to capture detailed logs, regularly reviewing and analyzing logs for suspicious activities, and storing logs in a secure, tamper-proof manner.
  • Recommended tools and frameworks include using centralized logging solutions like ELK Stack, Splunk, or cloud-native logging services, and enabling detailed logging configurations provided by cloud service providers.
Corgea can automatically detect and fix Insufficient Logging in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Medium

Affected Languages: Not Language-Specific

Affected Technologies: Cloud Computing

Vulnerable Code Example

Python Example

import logging

def authenticate_user(username, password):
    # Simulate authentication process
    if username == "admin" and password == "password123":
        return True
    else:
        return False

def process_login(username, password):
    if not authenticate_user(username, password):
        # Vulnerable: Insufficient logging of failed login attempt
        logging.warning("Authentication failed.")  # Insufficient detail in logging
        return "Login failed"
    return "Login successful"

# Simulating a login attempt
process_login("admin", "wrongpassword")

Explanation:

  • The logging statement lacks context about the failed login attempt, such as the username, which is essential for identifying patterns or unauthorized access attempts.
  • Without this information, it becomes difficult to perform effective security monitoring and incident response.

How to fix Insufficient Logging?

To address insufficient logging, it's crucial to capture detailed information about security-critical events, ensuring logs include who attempted the action, when it occurred, and potentially where it originated from. However, sensitive information like passwords should never be logged. Logs should be protected from unauthorized access and comply with privacy regulations.

Fixed Code Example

import logging

# Configure logging to include timestamps
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

def authenticate_user(username, password):
    # Simulate authentication process
    if username == "admin" and password == "password123":
        return True
    else:
        return False

def process_login(username, password):
    if not authenticate_user(username, password):
        # Fixed: Log detailed information about the failed login attempt
        logging.warning(f"Authentication failed for user: {username}")  # Provides context for security monitoring
        return "Login failed"
    return "Login successful"

# Simulating a login attempt
process_login("admin", "wrongpassword")

Explanation of Fix:

  • The logging statement now includes the username involved in the failed login attempt, providing critical context for security monitoring and forensic analysis.
  • The logging configuration is set up to include timestamps, giving additional context for when the event occurred, which is crucial for tracking and correlation in logs.
  • These changes make the logs more informative and useful for identifying suspicious activities while respecting privacy by avoiding the logging of sensitive information like passwords.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-778: Insufficient Logging and get remediation guidance

Start for free and no credit card needed.