search

sivasamyk / logtrail

Kibana plugin to view, search & live tail log events
MIT License
1.4k stars 185 forks source link

XSS Vulnerability #241

Open DavidWittman opened 6 years ago

DavidWittman commented 6 years ago

Logtrail does not escape HTML characters, so it's possible for a malicious user to execute Cross-Site Scripting attacks by having script tags output in the logs in some way. Specifically, this is troublesome when collecting HTTP access logs because a user can access any arbitrary URL (e.g. http://example.com/<script>alert('xss')</script>) and that can potentially be executed in the Logtrail user's browser.

sivasamyk commented 6 years ago

@DavidWittman Thanks for reporting. Can you give a specific example wrt logtrail? You mean the url params that logtrail parse?

DavidWittman commented 6 years ago

@sivasamyk No, any logged message which is displayed in Logtrail which has <script> tags is executed as Javascript.

sivasamyk commented 6 years ago

@DavidWittman I added log message like below and verified in Logtrail. It displayed the message without any alert window

curl -XPUT 'localhost:9200/filebeat-6.2.2-2018.02.28/doc/EW1g32EBS7Cbs7NqQP54?pretty&pretty' -H 'Content-Type: application/json' -d'
{
    "@timestamp": "2018-02-27T20:46:22.382Z",
      "source": "/var/log/auth.log",
      "offset": 967,
      "message": "<script>alert('Hellooooooooo')</script>",
      "prospector": {
        "type": "log"
      },
      "beat": {
        "name": "mybuntu",
        "hostname": "mybuntu",
        "version": "6.2.2"
      }
}
'

Can you give specific example message, that I can verify locally?

DavidWittman commented 6 years ago

Here's the exact document (with redactions) which triggered it for me:

{
  "_index": "logstash-2018.03.03",
  "_type": "flb_type",
  "_id": "AWHuN8XbFdO03paEPtp1",
  "_version": 1,
  "found": true,
  "_source": {
    "@timestamp": "2018-03-03T23:34:43.88Z",
    "PRIORITY": "6",
    "CONTAINER_ID": "e808ca24b11d",
    "CONTAINER_ID_FULL": "e808ca24b11d1fbe6d6e8e87efe6118ea5c9eb0a620cdd1782fc90bad9379b06",
    "CONTAINER_NAME": "foo",
    "CONTAINER_TAG": "e808ca24b11d",
    "_TRANSPORT": "journal",
    "_PID": "1042",
    "_UID": "0",
    "_GID": "0",
    "_COMM": "dockerd",
    "_EXE": "/usr/bin/dockerd",
    "_CMDLINE": "/usr/bin/dockerd",
    "_CAP_EFFECTIVE": "1fffffffff",
    "_SYSTEMD_CGROUP": "/system.slice/docker.service",
    "_SYSTEMD_UNIT": "docker.service",
    "_SYSTEMD_SLICE": "system.slice",
    "_SELINUX_CONTEXT": "system_u:system_r:container_runtime_t:s0",
    "_BOOT_ID": "bfb1d617a36046788e65e033477b066f",
    "_MACHINE_ID": "foo",
    "_HOSTNAME": "foo.example.net",
    "MESSAGE": "127.0.0.1 - - [03/Mar/2018:23:34:43 +0000] \"GET /citrix/nfuse/default/login.asp?NFuse_LogoutId=&NFuse_MessageType=Error&NFuse_Message=<SCRIPT>alert('XSS')</SCRIPT>&ClientDetection=ON HTTP/1.1\" 404 228 \"-\" \"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\"",
    "_SOURCE_REALTIME_TIMESTAMP": "1520120083088624",
    "instance_id": "i-deadbeefdba4cafe6",
    "local_ipv4": "127.0.0.1",
    "environment": "dev"
  }
}
DavidWittman commented 6 years ago

I'm on logtrail-5.5.2-0.1.20 if that helps with your testing.

sivasamyk commented 6 years ago

@DavidWittman There were changes related to message formatting newer releases. Can you upgrade and check if the issue is still reproducible.

timfeirg commented 6 years ago

I'm also seeing this on 6.2.4.

wolframhaussig commented 5 years ago

I would like to see that fixed too because it not only fixes XSS but because our logs are currently broken: We are logging requests and responses of webservices too and wanted to use Logtrail to see the history.

This is what I correctly see in Kibana Discover: discover

This is what Logtrail generates as HTML: logtrail_html

Because the characters are not escaped I cannot see the XML in logtrail.

PS: We use Kibana 6.5.4 and Logtrail 0.1.30

sivasamyk commented 5 years ago

@wolframhaussig I will try to fix this issue this weekend. Can you also please share your logtrail.json config?

wolframhaussig commented 5 years ago

Wow, that was fast :-)

Here is the relevant logtrail config( I removed the blocks which are not relevant):

{
  "version" : 2,
  "index_patterns" : [
    {      
      "es": {
        "default_index": "unifiedlog-otc-*"
      },
      "tail_interval_in_seconds": 10,
      "es_index_time_offset_in_seconds": 0,
      "display_timezone": "local",
      "display_timestamp_format": "MMM DD HH:mm:ss",
      "max_buckets": 500,
      "default_time_range_in_days" : 0,
      "max_hosts": 100,
      "max_events_to_keep_in_viewer": 5000,
      "default_search": "",
      "fields" : {
        "mapping" : {
            "timestamp" : "@timestamp",
            "hostname" : "log.source.address",
            "program": "application",
            "message": "log.message"
        },
        "message_format": "{{{log.level}}} {{{log.message}}} {{{log.payload.request}}}",
        "keyword_suffix" : "keyword"
      },
      "color_mapping": {
      "field": "log.level",
      "mapping": {
        "ERROR": "#FF0000",
        "WARN": "#FFEF96",
        "DEBUG": "#B5E7A0",
        "TRACE": "#CFE0E8",
        "PERFORMANCE": "#B5E7A0"
      }
    }
    }
  ]
}
wolframhaussig commented 4 years ago

@sivasamyk Any progress here?