Javascript Bunyan Log Forging
Description
Detects when unsanitized user-controlled input is written into Bunyan log messages in JavaScript applications. Without proper sanitization, attackers can inject newline characters or forged log entries into the log stream, misleading security monitoring systems and hiding malicious activity.
Detection Strategy
• Identifies calls to Bunyan logger methods (info, error, warn, debug, fatal, trace, log)
• Resolves the logger instance back to its definition to confirm it was created via bunyan.createLogger()
• Inspects the arguments passed to the log call for symbols, element accesses, or member accesses that originate from HTTP request data
• Reports a vulnerability when user-controlled input reaches a Bunyan log method without sanitization or validation
Vulnerable code example
const bunyan = require('bunyan');
const log = bunyan.createLogger({ name: 'app' });
app.get('/action', (req, res) => {
const action = req.query.action;
// Vulnerable: unsanitized input allows log forging via newline injection
log.info('User action: ' + action);...✅ Secure code example
const bunyan = require('bunyan');
const log = bunyan.createLogger({ name: 'app' });
app.get('/action', (req, res) => {
const action = req.query.action;
// Safe option 1: strip newline characters before logging
const safeAction = action.replace(/[\r\n]/g, '');...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.