Java Unsafe Logger Injection
Description
This detector identifies unsafe logger injection vulnerabilities in Java code where user-controlled input is directly passed to logging methods without proper sanitization. This can lead to log injection attacks where malicious users can manipulate log entries, potentially causing log forgery, information disclosure, or downstream security issues when logs are processed by other systems.
Detection Strategy
• The code must import Java logging libraries (java.util.logging.Logger or java.util.logging.*)
• A logging method call must be identified (such as info, warn, error, debug, trace, or similar logging methods)
• The method call must be invoked on a Logger object
• The first argument to the logging method must contain user-controlled input or data that can be influenced by external sources
• All conditions must be met simultaneously - if any logging library import is missing or the argument doesn't contain user input, no vulnerability is reported
Vulnerable code example
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
public class LogInjectionExample {
private static final Logger LOGGER = Logger.getLogger(LogInjectionExample.class.getName());
public void unsafeLogging(HttpServletRequest request) {
String userInput = request.getParameter("username");...✅ Secure code example
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
public class LogInjectionExample {
private static final Logger LOGGER = Logger.getLogger(LogInjectionExample.class.getName());
public void unsafeLogging(HttpServletRequest request) {
String userInput = request.getParameter("username");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.