Javascript Log4js Sensitive Information In Logs
Description
This detector identifies instances where sensitive information may be logged using the log4js JavaScript logging library. Logging sensitive data like passwords, API keys, or personal information can expose it to unauthorized access through log files, making it a security vulnerability.
Detection Strategy
• When log4js logging methods are called in JavaScript code
• When the logging calls contain parameters or variables that may contain sensitive information
• When expressions passed to log4js loggers match patterns associated with sensitive data exposure
Vulnerable code example
const log4js = require('log4js');
const log4jsLogger = log4js.getLogger();
// VULNERABLE: Sensitive data concatenated in log
const apiKey = "key-value";
log4jsLogger.info("User logged with: " + apiKey);
...✅ Secure code example
const log4js = require('log4js');
const log4jsLogger = log4js.getLogger();
// SAFE: Sanitize sensitive data before logging
const apiKey = "key-value";
log4jsLogger.info("User logged with: " + apiKey.replace(/.(?=.{4})/g, '*')); // Mask all but last 4 chars
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.