Java Sensitive Information In Log4j Log
Description
This detector identifies when sensitive information is logged through Apache Log4j logging framework. It detects cases where tainted (potentially sensitive) data flows into Log4j logging methods, which could lead to exposure of sensitive information in log files that may be accessible to unauthorized parties.
Detection Strategy
• The code must import Log4j libraries (either org.apache.logging.log4j.* or both org.apache.logging.log4j.Logger and org.apache.logging.log4j.LogManager)
• A Log4j logging method call must be present in the code (such as logger.info(), logger.debug(), logger.error(), etc.)
• At least one argument passed to the logging method must contain tainted data - data that originates from user input, external sources, or other potentially sensitive sources
• The vulnerability is reported at the location of the logging method call that receives the tainted sensitive data
Vulnerable code example
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
@RestController
public class PaymentController {
...✅ Secure code example
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.web.bind.annotation.*;
import javax.servlet.http.HttpServletRequest;
@RestController
public class PaymentController {
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.