Logging Secrets

Understand the risks of logging sensitive information like passwords and security tokens. Learn techniques such as allowlisting and masking to protect your logs from exposing secrets. Explore common pitfalls including user input errors and why careful logging is crucial for maintaining web application security.

We'll cover the following...

Logging sensitive data
Your logs are not top-secret
Allowlisting
Masking
Inputting sensitive data into the wrong field and logging it
- ℹ️ Who is silly enough to log a password?

Logging sensitive data

If you develop systems that have to deal with secrets such as passwords, credit card numbers, security tokens or personally identifiable information (PII), you need to be very careful about how you deal with this data within your application, as a simple mistake can lead to a data leak in your infrastructure.

Take a look at this example, where our app fetches user details based on a header.

app.get('/users/me', function(req, res){
    try {
        user = db.getUserByToken(req.headers.token)
        res.send(user)
    } catch(err) {
        log("Error in request: ", req)
    }
})

Now, this innocuous piece of code is actually dangerous, if an error occurs, the entire request gets logged.

Having the whole request logged is going to be extremely helpful when debugging but will also lead to storing auth tokens (available in the request’s headers) ...

1.Introduction

2.Understanding The Browser

3.HTTP

4.Protection through HTTP Headers

5.HTTP Cookies

6.Situationals

7.DDoS Attacks

8.Bug Bounty Programs

9.Conclusion

Project

Logging Secrets

Logging sensitive data