CWE-532

Mitigation

Phases: Architecture and Design, Implementation

Description:

• Consider seriously the sensitivity of the information written into log files. Do not write secrets into the log files.

Mitigation

Phase: Distribution

Description:

• Remove debug log files before deploying the application into production.

Mitigation

Phase: Operation

Description:

• Protect log files against unauthorized read/write.

Mitigation

Phase: Implementation

Description:

• Adjust configurations appropriately when software is transitioned from a debug state to production.

CAPEC-215: Fuzzing for application mapping

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.