Document use of security-logging library

[robertwatkins]

Create a document that shows how the security-logging library should be implemented by walking through an implementation on a known insecure web application, Webgoat. This document would cover both the technical aspects of ​_what_​ to do as well as the business aspects of ​_why_​ to do it.

A recommended outline would be:

• A problem statement that describes common problems related to logging, including a description of the impact of these security issues
• A description of how the security-logging library solves these problems
• An introduction to Webgoat, including the problems it has with respect to logging issues
• Walkthrough implementation of security-logging features that requires no code changes in Webgoat
• Walkthrough implementation of security-logging features that need code changes in Webgoat
• Additional tips for keeping the logs themselves safe.

[robertwatkins]

I've set up WebGoat 7.0.1 to run on an existing Tomcat installation. There were some difficulties with permissions that needed to be corrected for the application to run properly.

• The user database file (UserDatabase.mv.db) was not being written to a location where the service user did not have permissions to write. Reviewing the catalina.out log file showed the expected path and fixing this allowed me to log in.
• The log files themselves were being written to a different location that didn't exist, creating it and adding permissions to the service user allowed the log files to be created.

There are three log files specified int he log4j.properties file

• webgoat_main.log
• webgoat_perf.log
• webgoat_error.log

In a short time using the application, I was able to get data in the 'webgoat_main.log' file. The 'perf' log was generated, but no data was written to it and the 'error' log was not written at all. After a review of the 'main' log, I identified the following issues to use as examples of using the security-logging library to remove sensitive information.

High risk

• Passwords (Code Quality > Discover Clues in the HTML)
• Full system paths to sensitive files on startup. (look for "DEBUG org.owasp.webgoat.lessons.AbstractLesson - Setting source file of lesson...")

Medium Risk

• Usernames exposed on each login (though passwords are hidden)
• A variety of full file paths to content pages (look for "Loading Source File:")
• Session ID
• Form field contents (Parameter Tampering > Exploit Hidden Fields)

Low Risk

• IP addresses (presumably of users, search for "RemoteIpAddress:")

[augustd]

Hi @robertwatkins this is great actually. Can you post a link to your code, or the diffs you made to Webgoat to get logging to work?

[spoofzu]

Interesting work. You should post a sample section of a log file when u get the chance.

[robertwatkins]

@augustd and @spoofzu Fortunately, there were no code changes to WebGoat, just file permission issues to resolve. I'll post some additional details on getting webgoat running when I get home.

As for the log file, I had attached it, but it put in a weird link in my comment instead. I'll add it when I get home.

Thanks for the feedback guys :)

[robertwatkins]

webgoat_main.txt
Here is the log file (github doesn't like attaching a file with a .log extension)

[robertwatkins]

Here are the symptoms of troubles I was having:

• After downloading the WAR file and deploying it with the tomcat manager, attempts to log in were met with a stacktrace to the screen saying
  ERROR - Error handling request java.lang.NoClassDefFoundError: Could not initialize class org.owasp.webgoat.session.UserTracker
• The catalina.out file had a line reading
  org.h2.message.DbException: Log file error: "/var/lib/tomcat7/UserDatabase.trace.db", cause: "java.io.FileNotFoundException: /var/lib/tomcat7/UserDatabase.trace.db (Permission denied)" [90034-190]
• catalina.out also had a line reading
  og4j:ERROR setFile(null,true) call failed. java.io.FileNotFoundException: /usr/share/tomcat7/logs/webgoat_main.log (No such file or directory)

The error provided to the user had the root cause of the tomcat service user not having write permissions to the expected folder (/var/lib/tomcat7 in this case). To fix this I did something to the effect of 'chmod tomcat7 +w /var/lib/tomcat7'

The missing log file issue was fixed by adding a log folder to /usr/share/tomcat7 and the same kind of permission change.

I won't claim these changes are ideal, though they did get me a functioning system. :)

Thoughts?

[javabeanz]

Seems the noclassdeffounderror is a classloader issue; when Tomcat starts, it loads Tomcat libraries in its own classloader, the web application is loaded in another classloader which is isolated from the other.

[robertwatkins]

OK, it's been a very long time since I've made progress on this. I'm starting up again and hope to have some updates soon. Thanks for your patience :)