How Can we set the file size limitations from the client as well as ensure that the frequency client uploading the log file is throttled such that it cannot denial of service the server on WL analytics server?
We did a security check for our application and got the following result:
Log Injection occurs when an attacker is able to inject malicious code as part of a log entry with the intent of executing it when observed in a log viewer. All data sent to application log files will need to be maintained in order to display all events that have occurred in the system. These log files may then be viewed by end users through multiple means from a terminal to a full featured web application. If potentially malicious characters or control characters are not sanitized prior to being displayed in one of these viewers they can impact the end user viewing the logs.
Instance(s):
- "https://company.com/Applicaion-Name/apps/services/loguploader"
Steps to Reproduce:
- Proxy the application through an http proxy like burp.
- Sign into the application
- The application will send a request to /loguploader.
Notice the zipped contents are from the file /var/mobile/Applications//Documents/wl.analytics.log
NOTE: To test if the application is truly vulnerable to this, the wl.analytics.log
file should be modified, increased in size and locally and examined on the server after the loguploader service is called to see if the modified file was accepted.
we have went through the following URL:
Below are couple of information from above link.
The wl.analytics.queues
parameter determines the maximum number of queues that the Worklight Server holds in memory. If all of the queues fill up before they post to the Analytics Platform, the Worklight Server drops data that is received from the client until a queue empties.
The wl.analytics.queue.size
parameter is the number of individual elements that each queue can hold. Adjustment of these parameters affects
The number of individual analytics events that the server holds at one time is wl.analytics.queues * wl.analytics.queue.size
. Take this fact into consideration when you define these two parameters. If you set them too low, large amounts of analytics data can be dropped if the server is unusually busy. If you set them too high, too much memory can be used on the Worklight Server
From above details it seems if we set the values correctly then high value file upload will be dropped due to overflow.
But I am not sure what the correct values need to set to address security concern.And does this will resolve it?
WL Server version 6.2.0.1
Liberty version 8.5.5.1
I have replied to the PMR you've opened but you did not reply back.
Copy of my answer:
Logger usage is documented in the following user documentation topic: http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.workl ight.dev.doc/devref/c_client-side_log_capture.html
Additional API documentation and examples is available in this another user documentation topic: http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.workl ight.apiref.doc/html/refjavascript-client/html/WL.Logger.html?cp=SSZH4A_ 6.2.0%2F10-0-0-1-19
To disable automatic log sending you need to set the "setAutoSendLogs" option to false; you will then be required to use the
WL.Logger.send
API in order to send the logs.To limit the filesize of the sent logs update the value given to "maxFileSize" (by default 100kb), so that the data sent to the server will also be smaller in size.
Review the documentation to experiment with the available options that will fit your needs.