Open DavidWittman opened 6 years ago
@DavidWittman Thanks for reporting. Can you give a specific example wrt logtrail? You mean the url params that logtrail parse?
@sivasamyk No, any logged message which is displayed in Logtrail which has <script>
tags is executed as Javascript.
@DavidWittman I added log message like below and verified in Logtrail. It displayed the message without any alert window
curl -XPUT 'localhost:9200/filebeat-6.2.2-2018.02.28/doc/EW1g32EBS7Cbs7NqQP54?pretty&pretty' -H 'Content-Type: application/json' -d'
{
"@timestamp": "2018-02-27T20:46:22.382Z",
"source": "/var/log/auth.log",
"offset": 967,
"message": "<script>alert('Hellooooooooo')</script>",
"prospector": {
"type": "log"
},
"beat": {
"name": "mybuntu",
"hostname": "mybuntu",
"version": "6.2.2"
}
}
'
Can you give specific example message, that I can verify locally?
Here's the exact document (with redactions) which triggered it for me:
{
"_index": "logstash-2018.03.03",
"_type": "flb_type",
"_id": "AWHuN8XbFdO03paEPtp1",
"_version": 1,
"found": true,
"_source": {
"@timestamp": "2018-03-03T23:34:43.88Z",
"PRIORITY": "6",
"CONTAINER_ID": "e808ca24b11d",
"CONTAINER_ID_FULL": "e808ca24b11d1fbe6d6e8e87efe6118ea5c9eb0a620cdd1782fc90bad9379b06",
"CONTAINER_NAME": "foo",
"CONTAINER_TAG": "e808ca24b11d",
"_TRANSPORT": "journal",
"_PID": "1042",
"_UID": "0",
"_GID": "0",
"_COMM": "dockerd",
"_EXE": "/usr/bin/dockerd",
"_CMDLINE": "/usr/bin/dockerd",
"_CAP_EFFECTIVE": "1fffffffff",
"_SYSTEMD_CGROUP": "/system.slice/docker.service",
"_SYSTEMD_UNIT": "docker.service",
"_SYSTEMD_SLICE": "system.slice",
"_SELINUX_CONTEXT": "system_u:system_r:container_runtime_t:s0",
"_BOOT_ID": "bfb1d617a36046788e65e033477b066f",
"_MACHINE_ID": "foo",
"_HOSTNAME": "foo.example.net",
"MESSAGE": "127.0.0.1 - - [03/Mar/2018:23:34:43 +0000] \"GET /citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=<SCRIPT>alert('XSS')</SCRIPT>&ClientDetection=ON HTTP/1.1\" 404 228 \"-\" \"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\"",
"_SOURCE_REALTIME_TIMESTAMP": "1520120083088624",
"instance_id": "i-deadbeefdba4cafe6",
"local_ipv4": "127.0.0.1",
"environment": "dev"
}
}
I'm on logtrail-5.5.2-0.1.20 if that helps with your testing.
@DavidWittman There were changes related to message formatting newer releases. Can you upgrade and check if the issue is still reproducible.
I'm also seeing this on 6.2.4.
I would like to see that fixed too because it not only fixes XSS but because our logs are currently broken: We are logging requests and responses of webservices too and wanted to use Logtrail to see the history.
This is what I correctly see in Kibana Discover:
This is what Logtrail generates as HTML:
Because the characters are not escaped I cannot see the XML in logtrail.
PS: We use Kibana 6.5.4 and Logtrail 0.1.30
@wolframhaussig I will try to fix this issue this weekend. Can you also please share your logtrail.json config?
Wow, that was fast :-)
Here is the relevant logtrail config( I removed the blocks which are not relevant):
{
"version" : 2,
"index_patterns" : [
{
"es": {
"default_index": "unifiedlog-otc-*"
},
"tail_interval_in_seconds": 10,
"es_index_time_offset_in_seconds": 0,
"display_timezone": "local",
"display_timestamp_format": "MMM DD HH:mm:ss",
"max_buckets": 500,
"default_time_range_in_days" : 0,
"max_hosts": 100,
"max_events_to_keep_in_viewer": 5000,
"default_search": "",
"fields" : {
"mapping" : {
"timestamp" : "@timestamp",
"hostname" : "log.source.address",
"program": "application",
"message": "log.message"
},
"message_format": "{{{log.level}}} {{{log.message}}} {{{log.payload.request}}}",
"keyword_suffix" : "keyword"
},
"color_mapping": {
"field": "log.level",
"mapping": {
"ERROR": "#FF0000",
"WARN": "#FFEF96",
"DEBUG": "#B5E7A0",
"TRACE": "#CFE0E8",
"PERFORMANCE": "#B5E7A0"
}
}
}
]
}
@sivasamyk Any progress here?
Logtrail does not escape HTML characters, so it's possible for a malicious user to execute Cross-Site Scripting attacks by having script tags output in the logs in some way. Specifically, this is troublesome when collecting HTTP access logs because a user can access any arbitrary URL (e.g.
http://example.com/<script>alert('xss')</script>
) and that can potentially be executed in the Logtrail user's browser.