Javascript Winston Sensitive Information In Logs
Description
This detector identifies instances where the Winston logging library in JavaScript applications may be configured to log sensitive information. Logging sensitive data like passwords, tokens, or personal information can create security risks through log exposure, unauthorized access to log files, or compliance violations.
Detection Strategy
• Scans JavaScript code for Winston logger usage and configuration patterns
• Identifies Winston method calls that may capture or log sensitive data fields
• Flags Winston configurations that lack proper filtering or sanitization of sensitive information
• Reports vulnerabilities when Winston loggers are configured to log objects or data that could contain passwords, tokens, API keys, or other sensitive information without adequate protection
Vulnerable code example
const winston = require('winston');
const logger = winston.createLogger({
transports: [new winston.transports.Console()]
});
const password = "secret123";
logger.info("User password: " + password); // Logs sensitive data in plaintext...✅ Secure code example
const winston = require('winston');
const logger = winston.createLogger({
transports: [new winston.transports.Console()]
});
const password = "secret123";
logger.info("User authentication successful"); // Mask sensitive data - log events not values...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.